34 logstash with filebeat integration
โ๏ธ 1๏ธโฃ Install Filebeat on the Linux Machine
# Download the deb package from Elastic official site
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-9.1.5-amd64.deb
# Install the package
sudo dpkg -i filebeat-9.1.5-amd64.deb
๐ 2๏ธโฃ Prepare Nginx Logs (Dummy Logs)
๐น Install Nginx:
sudo apt update
sudo apt install nginx -y
๐น Check if the service is running:
sudo systemctl status nginx
Expected result: active (running)
๐น Test the default page:
curl http://localhost
You should see the default Nginx HTML page content.
๐ Log file locations:
/var/log/nginx/access.log
/var/log/nginx/error.log
To monitor logs in real time:
sudo tail -f /var/log/nginx/access.log
โ๏ธ 3๏ธโฃ Configure Filebeat to Send Logs to Logstash
Open Filebeat configuration:
sudo nano /etc/filebeat/filebeat.yml
๐ธ (A) Input Configuration:
filebeat.inputs:
- type: filestream
id: nginx-access-logs
enabled: true
paths:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
ignore_older: 0
close_inactive: 0
๐ Note: Enabling the Nginx module automatically activates input collection, so you can later comment this section to avoid duplicate data.
๐ธ (B) Logstash Output Configuration:
#output.logstash:
hosts: ["192.168.1.16:5045"]
๐ธ (C) Enable Nginx and System Modules:
filebeat version
sudo filebeat modules list
sudo filebeat modules enable nginx
๐ธ (D) Configure the Nginx Module:
Open the module configuration:
sudo nano /etc/filebeat/modules.d/nginx.yml
Ensure the following settings:
- module: nginx
access:
enabled: true
var.paths: ["/var/log/nginx/access.log"]
error:
enabled: true
var.paths: ["/var/log/nginx/error.log"]
โ
Note: After enabling the module, comment out the filebeat.inputs section in filebeat.yml to prevent duplicate data:
# filebeat.inputs:
# - type: filestream
# enabled: true
# paths:
# - /var/log/nginx/access.log
# - /var/log/nginx/error.log
๐งฉ 4๏ธโฃ Configure Logstash to Receive Filebeat Data
Open the pipeline configuration:
sudo nano /etc/logstash/conf.d/nginx-pipeline.conf
Add the following configuration:
input {
beats {
port => 5045
tags => ["nginx"]
}
}
output {
elasticsearch {
hosts => ["https://192.168.1.16:9200"]
index => "nginx-logs-%{+YYYY.MM.dd}"
user => "elastic"
password => "3lSq=GCEWU1ygpW_cEkl"
ssl_enabled => true
ssl_verification_mode => "none"
}
}
๐ 5๏ธโฃ Test the Logstash Configuration
Verify configuration correctness:
sudo -u logstash /usr/share/logstash/bin/logstash --config.test_and_exit -f /etc/logstash/conf.d/nginx-pipeline.conf
โ
Expected result: Configuration OK
๐ 6๏ธโฃ Send Logs from Filebeat to Logstash
๐น Ensure Logstash is running:
sudo systemctl status logstash
Expected result: active (running)
๐น Enable and start Filebeat:
sudo systemctl enable filebeat
sudo systemctl start filebeat
๐น Check Filebeat output:
sudo journalctl -u filebeat -f
You should see:
Connected to logstash host: 192.168.1.16:5045
Successfully published events
To generate a large number of logs for testing:
for i in {1..10000}; do curl -s http://localhost/ > /dev/null; done
๐น Check Logstash logs:
sudo tail -f /var/log/logstash/logstash-plain.log
Expected line:
[INFO ] Successfully processed events
๐ง 7๏ธโฃ Verify in Elasticsearch
curl -k -u elastic:3lSq=GCEWU1ygpW_cEkl -X GET "https://localhost:9200/_cat/indices?v"
Expected output:
open nginx-logs-2025.10.19 ...
๐ 8๏ธโฃ View Data in Kibana
Open Kibana โ Discover โ Create Data View
Enter:
nginx-logs*
๐ You should now see live log data, confirming that the entire setup is working perfectly:
โ
Filebeat reads logs from /var/log/nginx/access.log\
โ
Logstash receives and processes the data\
โ
Elasticsearch stores it in a dedicated index\
โ
Kibana displays the results
โ Final Result
The pipeline was successfully implemented:\ Filebeat โ Logstash โ Elasticsearch โ Kibana
Linux/Nginx log collection is now running efficiently. ๐ฏ