Skip to main content

Configuration Examples


Linux Host β€” System + Auditd + Custom App Log​

Standard Linux host collection: authentication, syslog, audit events, and a custom application log with multiline support.

filebeat.modules:
- module: system
auth:
enabled: true
var.paths: ["/var/log/secure*"] # RHEL/CentOS β€” change to /var/log/auth.log* for Debian/Ubuntu
syslog:
enabled: true
var.paths: ["/var/log/messages*"] # RHEL/CentOS β€” change to /var/log/syslog* for Debian/Ubuntu

- module: auditd
log:
enabled: true
var.paths: ["/var/log/audit/audit.log*"]

filebeat.inputs:
- type: log
paths:
- /opt/application/logs/*.log
ignore_older: 168h
tags: [custom-app]
fields:
log_source: application_server
multiline:
type: pattern
pattern: '^\d{4}-\d{2}-\d{2}' # New event starts with YYYY-MM-DD timestamp
negate: true
match: after

output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"

processors:
- add_host_metadata: ~

logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
logging.level: info

Apache / HTTPD Web Server (Linux β€” RHEL)​

Collecting access and error logs from a Red Hat Apache/HTTPD web server, as originally documented in the 262COS/DOK Filebeat config.

filebeat.modules:
- module: apache
access:
enabled: true
var.paths:
- /var/log/httpd/access_log*
- /var/log/httpd/ssl_access_log*
error:
enabled: false
var.paths: ["/var/log/httpd/error_log*"]

output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"

processors:
- add_host_metadata: ~

Syslog Listener β€” Network Device Log Collection​

Receiving syslog from network infrastructure (firewalls, switches, routers) that forward logs to the Filebeat host.

filebeat.inputs:
- type: udp
host: "0.0.0.0:514"
max_message_size: 64KiB
tags: [syslog, network-device]

- type: tcp
host: "0.0.0.0:1514"
max_message_size: 64KiB
tags: [syslog, network-device]

output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"

processors:
- add_host_metadata: ~
Firewall Rules

Ensure the host firewall allows inbound traffic on the listening ports:

# RHEL/CentOS (firewalld)
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --permanent --add-port=1514/tcp
firewall-cmd --reload

DIP Stack Diagnostics β€” Logstash + Elasticsearch + Kibana Logs​

For troubleshooting pipeline issues on the DIP itself.

filebeat.modules:
- module: logstash
log:
enabled: true
var.paths: ["/var/log/logstash/logstash-plain.log*"]
slowlog:
enabled: false

- module: elasticsearch
server:
enabled: true
var.paths: ["/var/log/elasticsearch/*.log"]
gc:
enabled: false
audit:
enabled: false
slowlog:
enabled: false

- module: kibana
log:
enabled: true
var.paths: ["/var/log/kibana/kibana.log*"]

output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"

processors:
- add_host_metadata: ~