Skip to content

Commit

Permalink
Backport: Mulitple doc changes into 5.4 (#4073)
Browse files Browse the repository at this point in the history
* Add workaround for Heartbeat install issue

* Clarify docs around setting the index and @metadata fields

* Add step to change file ownership on mac

* Update yaml tips

* Clarify module quick start steps

* Remove yellow box redirecting users to master for dev docs

* Edit config reload topics

* Edit config info about dashboard loading

* Update curl examples to include content-type

* Fix structure of module topics

* add  kafkabeat (#4017)

* add  kafkabeat

kafkabeat read data from kafka

* Update communitybeats.asciidoc
  • Loading branch information
dedemorton authored and monicasarbu committed Apr 21, 2017
1 parent 38f6f31 commit 5b06c2a
Show file tree
Hide file tree
Showing 47 changed files with 471 additions and 310 deletions.
152 changes: 22 additions & 130 deletions filebeat/docs/getting-started.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -11,127 +11,16 @@ See {libbeat}/getting-started.html[Getting Started with Beats and the Elastic St

After installing the Elastic Stack, read the following topics to learn how to install, configure, and run Filebeat:

* <<filebeat-modules-quickstart>>
* <<filebeat-installation>>
* <<filebeat-configuration>>
* <<config-filebeat-logstash>>
* <<filebeat-template>>
* <<filebeat-starting>>
* <<filebeat-index-pattern>>
* <<filebeat-modules-quickstart>>
* <<filebeat-command-line>>
* <<directory-layout>>

[[filebeat-modules-quickstart]]
=== Quick Start for Common Log Formats

beta[]

Filebeat provides a set of pre-built modules that you can use to rapidly
implement and deploy a log monitoring solution, complete with sample dashboards
and data visualizations, in about 5 minutes. These modules support common log
formats, such as Nginx, Apache2, and MySQL, and can be run by issuing a simple
command.

This topic shows you how to run the basic modules out of the box without extra
configuration. For detailed documentation and the full list of available
modules, see <<filebeat-modules>>.

Skip this topic and go to <<filebeat-installation>> if you are using a log file
type that isn't supported by one of the available Filebeat modules.

==== Prerequisites

Before running Filebeat with modules enabled, you need to:

* Install and configure the Elastic stack. See
{libbeat}/getting-started.html[Getting Started with Beats and the Elastic Stack].

* Complete the Filebeat installation instructions described in
<<filebeat-installation>>. After installing Filebeat, return to this
quick start page.

* Install the Ingest Node GeoIP and User Agent plugins, which you can do by
running the following commands in the Elasticsearch home path:
+
[source,shell]
----------------------------------------------------------------------
sudo bin/elasticsearch-plugin install ingest-geoip
sudo bin/elasticsearch-plugin install ingest-user-agent
----------------------------------------------------------------------
+
You need to restart Elasticsearch after running these commands.

* Verify that Elasticsearch and Kibana are running and that Elasticsearch is
ready to receive data from Filebeat.

//TODO: Follow up to find out whether ingest-geoip and ingest-user-agent will be bundled with ES. If so, remove the last prepreq.

[[running-modules-quickstart]]
==== Running Filebeat with Modules Enabled

To run one or more Filebeat modules, you issue the following command:

[source,shell]
----------------------------------------------------------------------
filebeat -e -modules=MODULES -setup
----------------------------------------------------------------------

Where `MODULES` is the name of the module (or a comma-separated list of
modules) that you want to enable. The `-e` flag is optional and sends output
to standard error instead of syslog. The `-setup` flag is a one-time setup step.
For subsequent runs of Filebeat, do not specify this flag.

For example, to start Filebeat with the `system` module enabled and load the
sample Kibana dashboards, run:

[source,shell]
----------------------------------------------------------------------
filebeat -e -modules=system -setup
----------------------------------------------------------------------

This command takes care of configuring Filebeat, loading the recommended index
template for writing to Elasticsearch, and deploying the sample dashboards
for visualizing the data in Kibana.

To start Filebeat with the `system`, `nginx`, and `mysql` modules enabled
and load the sample dashboards, run:

[source,shell]
----------------------------------------------------------------------
filebeat -e -modules=system,nginx,mysql -setup
----------------------------------------------------------------------

To start Filebeat with the `system` module enabled (it's assumed that
you've already loaded the sample dashboards), run:

[source,shell]
----------------------------------------------------------------------
filebeat -e -modules=system
----------------------------------------------------------------------

TIP: In a production environment, you'll probably want to use a configuration
file, rather than command-line flags, to specify which modules to run. See the
detailed documentation for more about configuring and running modules.

These examples assume that the logs you're harvesting are in the location
expected for your OS and that the default behavior of Filebeat is appropriate
for your environment. Each module provides a set of variables that you can set
to fine tune the behavior of Filebeat, including the location where it looks
for log files. See <<filebeat-modules>> for more info.

[[visualizing-data]]
==== Visualizing the Data in Kibana

After you've confirmed that Filebeat is sending events to Elasticsearch, launch
the Kibana web interface by pointing your browser to port 5601. For example,
http://127.0.0.1:5601[http://127.0.0.1:5601].

Open the dashboard and explore the visualizations for your parsed logs.

Here's an example of the syslog dashboard:

image:./images/kibana-system.png[Sylog dashboard]

[[filebeat-installation]]
=== Step 1: Installing Filebeat

Expand Down Expand Up @@ -239,26 +128,21 @@ NOTE: If script execution is disabled on your system, you need to set the execut

endif::[]

If you're using modules to get started with Filebeat, go back to the
<<filebeat-modules-quickstart>> page.

Otherwise, continue on to <<filebeat-configuration>>.

Before starting Filebeat, you should look at the configuration options in the configuration
file, for example `C:\Program Files\Filebeat\filebeat.yml` or `/etc/filebeat/filebeat.yml`. For more information about these options,
see <<filebeat-configuration-details>>.

[[filebeat-configuration]]
=== Step 2: Configuring Filebeat

TIP: <<filebeat-modules-overview,Filebeat modules>> provide the fastest getting
started experience for common log formats. See <<filebeat-modules-quickstart>> to
learn how to get started with modules.

To configure Filebeat, you edit the configuration file. For rpm and deb, you'll
find the configuration file at `/etc/filebeat/filebeat.yml`. For mac and win, look in
the archive that you just extracted. There’s also a full example configuration file
called `filebeat.full.yml` that shows all non-deprecated options.
started experience for common log formats. See <<filebeat-modules-quickstart>>
to learn how to get started with modules. If you use Filebeat modules to get
started, you can skip the content in this section, including the remaining
getting started steps, and go directly to the <<filebeat-modules-quickstart>>
page.

To configure Filebeat manually, you edit the configuration file. For rpm and deb,
you'll find the configuration file at `/etc/filebeat/filebeat.yml`. For mac and
win, look in the archive that you just extracted. There’s also a full example
configuration file called `filebeat.full.yml` that shows all non-deprecated
options.

See the
{libbeat}/config-file-format.html[Config File Format] section of the
Expand Down Expand Up @@ -315,7 +199,10 @@ options specified: +./filebeat -configtest -e+. Make sure your config files are
in the path expected by Filebeat (see <<directory-layout>>). If you
installed from DEB or RPM packages, run +./filebeat.sh -configtest -e+.

See <<filebeat-configuration-details>> for more details about each configuration option.
Before starting Filebeat, you should look at the configuration options in the
configuration file, for example `C:\Program Files\Filebeat\filebeat.yml` or
`/etc/filebeat/filebeat.yml`. For more information about these options,
see <<filebeat-configuration-details>>.

[[config-filebeat-logstash]]
=== Step 3: Configuring Filebeat to Use Logstash
Expand All @@ -332,7 +219,7 @@ include::../../libbeat/docs/shared-template-load.asciidoc[]
[[filebeat-starting]]
=== Step 5: Starting Filebeat

Start Filebeat by issuing the appropriate command for your platform.
Start Filebeat by issuing the appropriate command for your platform.

NOTE: If you use an init.d script to start Filebeat on deb or rpm, you can't
specify command line flags (see <<filebeat-command-line>>). To specify flags,
Expand All @@ -356,8 +243,13 @@ sudo /etc/init.d/filebeat start

[source,shell]
----------------------------------------------------------------------
sudo chown root filebeat.yml <1>
sudo ./filebeat -e -c filebeat.yml -d "publish"
----------------------------------------------------------------------
<1> You'll be running Filebeat as root, so you need to change ownership
of the configuration file (see
{libbeat}config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_).

*win:*

Expand Down
4 changes: 4 additions & 0 deletions filebeat/docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ include::../../libbeat/docs/version.asciidoc[]
:metricbeat: http://www.elastic.co/guide/en/beats/metricbeat/{doc-branch}
:filebeat: http://www.elastic.co/guide/en/beats/filebeat/{doc-branch}
:winlogbeat: http://www.elastic.co/guide/en/beats/winlogbeat/{doc-branch}
:logstashdoc: https://www.elastic.co/guide/en/logstash/{doc-branch}
:elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/{doc-branch}
:elasticsearch-plugins: https://www.elastic.co/guide/en/elasticsearch/plugins/{doc-branch}
:securitydoc: https://www.elastic.co/guide/en/x-pack/5.2
Expand All @@ -19,6 +20,8 @@ include::./overview.asciidoc[]

include::./getting-started.asciidoc[]

include::./modules-getting-started.asciidoc[]

include::./command-line.asciidoc[]

include::../../libbeat/docs/shared-directory-layout.asciidoc[]
Expand All @@ -43,6 +46,7 @@ include::./multiple-prospectors.asciidoc[]

include::./load-balancing.asciidoc[]

:standalone:
:allplatforms:
include::../../libbeat/docs/yaml.asciidoc[]

Expand Down
119 changes: 119 additions & 0 deletions filebeat/docs/modules-getting-started.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
[[filebeat-modules-quickstart]]
=== Quick Start for Common Log Formats

beta[]

Filebeat provides a set of pre-built modules that you can use to rapidly
implement and deploy a log monitoring solution, complete with sample dashboards
and data visualizations, in about 5 minutes. These modules support common log
formats, such as Nginx, Apache2, and MySQL, and can be run by issuing a simple
command.

This topic shows you how to run the basic modules out of the box without extra
configuration. For detailed documentation and the full list of available
modules, see <<filebeat-modules>>.

If you are using a log file type that isn't supported by one of the available
Filebeat modules, you'll need to set up and configure Filebeat manually by
following the numbered steps under <<filebeat-getting-started>>.

==== Prerequisites

Before running Filebeat with modules enabled, you need to:

* Install and configure the Elastic stack. See
{libbeat}/getting-started.html[Getting Started with Beats and the Elastic Stack].

* Complete the Filebeat installation instructions described in
<<filebeat-installation>>. After installing Filebeat, return to this
quick start page.

* Install the Ingest Node GeoIP and User Agent plugins. These plugins are
required to capture the geographical location and browser information used by
some of the visualizations available in the sample dashboards. You can install
these plugins by running the following commands in the Elasticsearch home path:
+
[source,shell]
----------------------------------------------------------------------
sudo bin/elasticsearch-plugin install ingest-geoip
sudo bin/elasticsearch-plugin install ingest-user-agent
----------------------------------------------------------------------
+
You need to restart Elasticsearch after running these commands.

* Verify that Elasticsearch and Kibana are running and that Elasticsearch is
ready to receive data from Filebeat.

[[running-modules-quickstart]]
==== Running Filebeat with Modules Enabled

To run one or more Filebeat modules, you issue the following command:

[source,shell]
----------------------------------------------------------------------
./filebeat -e -modules=MODULES -setup
----------------------------------------------------------------------

Where `MODULES` is the name of the module (or a comma-separated list of
modules) that you want to enable. The `-e` flag is optional and sends output
to standard error instead of syslog. The `-setup` flag is a one-time setup step.
For subsequent runs of Filebeat, do not specify this flag.

The following example starts Filebeat with the `system` module enabled and
loads the sample Kibana dashboards:

[source,shell]
----------------------------------------------------------------------
./filebeat -e -modules=system -setup
----------------------------------------------------------------------

This command takes care of configuring Filebeat, loading the recommended index
template for writing to Elasticsearch, and deploying the sample dashboards
for visualizing the data in Kibana.

NOTE: Depending on how you've installed Filebeat, you might see errors
related to file ownership or permissions when you try to run Filebeat modules.
See {libbeat}/config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_ if you encounter errors related to file
ownership or permissions.

include::system-module-note.asciidoc[]

To start Filebeat with the `system`, `nginx`, and `mysql` modules enabled
and load the sample dashboards, run:

[source,shell]
----------------------------------------------------------------------
./filebeat -e -modules=system,nginx,mysql -setup
----------------------------------------------------------------------

To start Filebeat with the `system` module enabled (it's assumed that
you've already loaded the sample dashboards), run:

[source,shell]
----------------------------------------------------------------------
./filebeat -e -modules=system
----------------------------------------------------------------------

TIP: In a production environment, you'll probably want to use a configuration
file, rather than command-line flags, to specify which modules to run. See the
detailed documentation for more about configuring and running modules.

These examples assume that the logs you're harvesting are in the location
expected for your OS and that the default behavior of Filebeat is appropriate
for your environment. Each module provides a set of variables that you can set
to fine tune the behavior of Filebeat, including the location where it looks
for log files. See <<filebeat-modules>> for more info.

[[visualizing-data]]
==== Visualizing the Data in Kibana

After you've confirmed that Filebeat is sending events to Elasticsearch, launch
the Kibana web interface by pointing your browser to port 5601. For example,
http://127.0.0.1:5601[http://127.0.0.1:5601].

Open the dashboard and explore the visualizations for your parsed logs.

Here's an example of the syslog dashboard:

image:./images/kibana-system.png[Sylog dashboard]
Loading

0 comments on commit 5b06c2a

Please sign in to comment.