Configuration Examples
Linux Host β System + Auditd + Custom App Logβ
Standard Linux host collection: authentication, syslog, audit events, and a custom application log with multiline support.
filebeat.modules:
- module: system
auth:
enabled: true
var.paths: ["/var/log/secure*"] # RHEL/CentOS β change to /var/log/auth.log* for Debian/Ubuntu
syslog:
enabled: true
var.paths: ["/var/log/messages*"] # RHEL/CentOS β change to /var/log/syslog* for Debian/Ubuntu
- module: auditd
log:
enabled: true
var.paths: ["/var/log/audit/audit.log*"]
filebeat.inputs:
- type: log
paths:
- /opt/application/logs/*.log
ignore_older: 168h
tags: [custom-app]
fields:
log_source: application_server
multiline:
type: pattern
pattern: '^\d{4}-\d{2}-\d{2}' # New event starts with YYYY-MM-DD timestamp
negate: true
match: after
output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"
processors:
- add_host_metadata: ~
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
logging.level: info
Apache / HTTPD Web Server (Linux β RHEL)β
Collecting access and error logs from a Red Hat Apache/HTTPD web server, as originally documented in the 262COS/DOK Filebeat config.
filebeat.modules:
- module: apache
access:
enabled: true
var.paths:
- /var/log/httpd/access_log*
- /var/log/httpd/ssl_access_log*
error:
enabled: false
var.paths: ["/var/log/httpd/error_log*"]
output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"
processors:
- add_host_metadata: ~
Syslog Listener β Network Device Log Collectionβ
Receiving syslog from network infrastructure (firewalls, switches, routers) that forward logs to the Filebeat host.
filebeat.inputs:
- type: udp
host: "0.0.0.0:514"
max_message_size: 64KiB
tags: [syslog, network-device]
- type: tcp
host: "0.0.0.0:1514"
max_message_size: 64KiB
tags: [syslog, network-device]
output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"
processors:
- add_host_metadata: ~
Firewall Rules
Ensure the host firewall allows inbound traffic on the listening ports:
# RHEL/CentOS (firewalld)
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --permanent --add-port=1514/tcp
firewall-cmd --reload
DIP Stack Diagnostics β Logstash + Elasticsearch + Kibana Logsβ
For troubleshooting pipeline issues on the DIP itself.
filebeat.modules:
- module: logstash
log:
enabled: true
var.paths: ["/var/log/logstash/logstash-plain.log*"]
slowlog:
enabled: false
- module: elasticsearch
server:
enabled: true
var.paths: ["/var/log/elasticsearch/*.log"]
gc:
enabled: false
audit:
enabled: false
slowlog:
enabled: false
- module: kibana
log:
enabled: true
var.paths: ["/var/log/kibana/kibana.log*"]
output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"
processors:
- add_host_metadata: ~