Multiple filebeat configurations

neophilipp · August 14, 2020, 11:45am

Hello,
i configured sidecar with one confiruration “filebeat on linux” for standard linux log files.
This config is used by every linux server.

Now i wanna add for example a special proxy squid log file configuration. If i clone the “filebeat on linux” config and rename it it doesnt work if i put in there the “squid” configuration. I become a “Failing” error.

What is the solution?

Unbenannt

makarands · August 14, 2020, 12:33pm

@neophilipp You can share your sidecar logs, so we can check the cause of failure Filebeat.

neophilipp · August 14, 2020, 12:56pm

makarands · August 14, 2020, 2:05pm

@neophilipp You can check conflicts between your old filebeat and new filebeat where you have copied because you can see one of the errors that data path was already locked by old filebeat and I thing your requested port for new filebeat also same hence is unable to start.

Hope this helps you!

tmacgbay · August 14, 2020, 2:42pm

You could have separate sections in a single sidecar configuration to handle log files differently for instance here is my sidecar configuration for our Exchange servers that handles three different log file areas (yes it’s Windows but it translates to linux easily )

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: 
   - ${user.BeatsInput}
   ssl:
   verification_mode: none
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows, exchange, filebeat, OWA, e-mail, rpc, activesync
filebeat:
  inputs:
##### find owa logon and logoff but not when the HealthMailbox does it.
    - type: log
      enabled: true
      include_lines: ['auth.owa', 'logoff.owa', 'ClientDisconnect']
      exclude_lines: ['HealthMailbox','^#']
      fields:
        unique_log_tag: OWA
      ignore_older: 72h
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Owa\*.LOG
#
##### find RPC/HTTP logins but still not the HealthMailbox and not internal
    - type: log
      enabled: true
      include_lines: ['Exchange.asmx']
      exclude_lines: ['HealthMailbox','^#','^DateTime','AnchorMailboxHeader-SMTP','192.168.[0-9]+.[0-9]+']
      fields:
        unique_log_tag: rpc_http
      ignore_older: 72h    
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ews\*.LOG
#
##### find Activesync logins but still not the HealthMailbox
    - type: log
      enabled: true
      include_lines: ['NewConnection=']
      exclude_lines: ['localhost','^#','^DateTime',',OPTIONS,']
      fields:
        unique_log_tag: activesync
      ignore_older: 72h    
      paths:
        - C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Eas\*.LOG

system · August 28, 2020, 2:42pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sidecar configuration for auditbeat and journalbeat [Linux hosts] Graylog Central (peer support) sidecar	6	1460	December 9, 2022
Unabble to find the Greylog sidecar node logs Graylog Central (peer support) sidecar , filebeat-linux , nosendlogfblx	11	1539	November 11, 2020
Filebeat\|sidecar multiple instances? Graylog Central (peer support) sidecar	6	1353	November 17, 2020
Graylog sidecar and filebeat Graylog Central (peer support) pipeline-rules , sidecar , filebeat-linux , filebeat-windows , nosendlogfblx	57	9175	September 16, 2021
Sending local log from Sidecar and Filebeat to Graylog Graylog Central (peer support) filebeat-linux	4	563	December 5, 2023

Multiple filebeat configurations

Related topics