Install Filebeat 8.15 for ELK Stack Log Shipping

Set up Filebeat 8.15 to collect and ship logs from multiple sources to Elasticsearch. Configure SSL/TLS security, performance optimization, and monitoring for production-grade log aggregation.

Prerequisites

Root or sudo access
Elasticsearch cluster running
Basic understanding of log management
Network connectivity to Elasticsearch nodes

What this solves

Filebeat ships log data from your servers to Elasticsearch efficiently and reliably. It handles log parsing, multiline events, backpressure, and automatic retries while using minimal system resources. This setup gives you centralized logging with built-in security and monitoring capabilities.

Step-by-step installation

Add Elastic repository and GPG key

Install the official Elastic repository to get Filebeat 8.15 and security updates.

curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
sudo tee /etc/yum.repos.d/elastic.repo << 'EOF'
[elasticsearch]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
EOF

Install Filebeat 8.15

Install Filebeat from the official repository to get the latest stable version.

sudo apt install -y filebeat=8.15.*

sudo dnf install -y --enablerepo=elasticsearch filebeat-8.15.*

Configure basic Filebeat settings

Set up the main configuration file with your Elasticsearch connection details and basic logging paths.

# Basic Filebeat configuration
filebeat.inputs:
type: log  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/syslog
    - /var/log/auth.log
  fields:
    logtype: system
    environment: production
  fields_under_root: true

type: log  enabled: true
  paths:
    - /var/log/nginx/*.log
  fields:
    logtype: nginx
    environment: production
  fields_under_root: true
  multiline.pattern: '^\d{4}-\d{2}-\d{2}'
  multiline.negate: true
  multiline.match: after

Output configuration
output.elasticsearch:
  hosts: ["203.0.113.10:9200", "203.0.113.11:9200"]
  protocol: "https"
  username: "elastic"
  password: "your-elasticsearch-password"
  index: "filebeat-%{+yyyy.MM.dd}"
  
Processor configuration
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  - drop_fields:
      fields: ["agent.ephemeral_id", "agent.id", "ecs.version"]

Logging configuration
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0600

Configure SSL/TLS security

Set up secure connections to Elasticsearch with certificate verification and encryption.

# Add this to your elasticsearch output section
output.elasticsearch:
  hosts: ["203.0.113.10:9200", "203.0.113.11:9200"]
  protocol: "https"
  username: "elastic"
  password: "your-elasticsearch-password"
  
  # SSL/TLS configuration
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/filebeat/ca.crt"]
  ssl.certificate: "/etc/filebeat/filebeat.crt"
  ssl.key: "/etc/filebeat/filebeat.key"
  ssl.verification_mode: "strict"
  
  # Connection tuning
  worker: 2
  bulk_max_size: 1024
  timeout: 60s
  compression_level: 1

Set up log collection modules

Enable and configure Filebeat modules for common services like Nginx, Apache, and system logs.

# Enable system module
sudo filebeat modules enable system

Enable nginx module
sudo filebeat modules enable nginx

Enable apache module (if needed)
sudo filebeat modules enable apache

List enabled modules
sudo filebeat modules list

Configure system module

Customize the system module to collect auth logs, syslog, and other system events.

# Module: system
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html

module: system  # Syslog
  syslog:
    enabled: true
    var.paths: ["/var/log/syslog", "/var/log/messages"]
    
  # Authorization logs
  auth:
    enabled: true
    var.paths: ["/var/log/auth.log", "/var/log/secure"]
    
  # Convert timezone
  processors:
    - add_locale:
        format: offset
    - timestamp:
        field: '@timestamp'
        layouts:
          - '2006-01-02T15:04:05.000Z'
          - '2006-01-02T15:04:05Z'
        test:
          - '2023-05-15T14:30:45.123Z'

Configure Nginx module

Set up the Nginx module to parse access and error logs with proper field mapping.

# Module: nginx
Docs: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-nginx.html

module: nginx  # Access logs
  access:
    enabled: true
    var.paths: ["/var/log/nginx/access.log*"]
    
  # Error logs
  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log*"]
    
  # Pipeline for custom log format
  access:
    var.pipeline: filebeat-8.15.0-nginx-access-custom

Set up performance optimization

Configure Filebeat for high-throughput environments with proper queue settings and resource limits.

# Queue settings for high throughput
queue.mem:
  events: 8192
  flush.min_events: 1024
  flush.timeout: 1s

Resource limits
filebeat.max_procs: 2

Registry settings for large file tracking
filebeat.registry:
  path: /var/lib/filebeat/registry
  file_permissions: 0600
  flush: 1s

Harvester settings
filebeat.inputs:
type: log  close_inactive: 5m
  close_removed: true
  close_renamed: false
  clean_inactive: 72h
  ignore_older: 24h
  scan_frequency: 10s
  harvester_buffer_size: 16384
  max_bytes: 10485760  # 10MB
  
Monitor file system changes
filebeat.shutdown_timeout: 5s

Configure monitoring and metrics

Enable internal metrics collection and monitoring endpoints for observability.

# Internal metrics
monitoring:
  enabled: true
  elasticsearch:
    hosts: ["203.0.113.10:9200", "203.0.113.11:9200"]
    protocol: "https"
    username: "elastic"
    password: "your-elasticsearch-password"
    ssl.certificate_authorities: ["/etc/filebeat/ca.crt"]
    
HTTP endpoint for metrics
http:
  enabled: true
  host: "127.0.0.1"
  port: 5066
  
Metrics collection
metrics.period: 30s

Set proper file permissions

Secure the Filebeat configuration and certificate files with appropriate ownership and permissions.

Never use chmod 777. It gives every user on the system full access to your files. Instead, fix ownership with chown and use minimal permissions.

# Set ownership for Filebeat user
sudo chown -R root:root /etc/filebeat/
sudo chown -R filebeat:filebeat /var/lib/filebeat/
sudo chown -R filebeat:filebeat /var/log/filebeat/

Set secure permissions
sudo chmod 600 /etc/filebeat/filebeat.yml
sudo chmod 600 /etc/filebeat/*.key
sudo chmod 644 /etc/filebeat/*.crt
sudo chmod 755 /etc/filebeat/
sudo chmod 755 /var/lib/filebeat/
sudo chmod 755 /var/log/filebeat/

Test configuration and setup index template

Validate your configuration and set up the Elasticsearch index template for optimal field mapping.

# Test configuration syntax
sudo filebeat test config

Test Elasticsearch connection
sudo filebeat test output

Setup index template and pipelines
sudo filebeat setup --index-management --pipelines

Load Kibana dashboards (optional)
sudo filebeat setup --dashboards

Enable and start Filebeat service

Start Filebeat and enable it to run automatically on system boot.

# Enable and start Filebeat
sudo systemctl enable filebeat
sudo systemctl start filebeat

Check service status
sudo systemctl status filebeat

Check initial logs
sudo journalctl -u filebeat -f --no-pager

Verify your setup

Check that Filebeat is running correctly and shipping logs to Elasticsearch.

# Check Filebeat service status
sudo systemctl status filebeat

View recent logs
sudo tail -f /var/log/filebeat/filebeat

Check registry for tracked files
sudo filebeat registry list

Monitor metrics endpoint
curl -s http://127.0.0.1:5066/stats | jq .

Verify data in Elasticsearch
curl -X GET "203.0.113.10:9200/filebeat-*/_search?pretty&size=5" \
  -u elastic:your-elasticsearch-password

Check index patterns
curl -X GET "203.0.113.10:9200/_cat/indices/filebeat-*?v" \
  -u elastic:your-elasticsearch-password

Monitor Filebeat performance

Set up monitoring to track Filebeat's resource usage and log shipping performance.

Create performance monitoring script

Monitor key Filebeat metrics like harvested events, processing rates, and error counts.

#!/bin/bash
Filebeat performance monitoring script

API_URL="http://127.0.0.1:5066/stats"
LOG_FILE="/var/log/filebeat-monitor.log"

Get metrics
METRICS=$(curl -s $API_URL)

Extract key values
EVENTS_TOTAL=$(echo $METRICS | jq -r '.filebeat.events.total // 0')
HARVESTER_RUNNING=$(echo $METRICS | jq -r '.filebeat.harvester.running // 0')
OUTPUT_EVENTS=$(echo $METRICS | jq -r '.libbeat.output.events.total // 0')
OUTPUT_ERRORS=$(echo $METRICS | jq -r '.libbeat.output.events.failed // 0')
MEMORY_USAGE=$(echo $METRICS | jq -r '.beat.memstats.memory_total // 0')

Log metrics with timestamp
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$TIMESTAMP] Events: $EVENTS_TOTAL, Harvesters: $HARVESTER_RUNNING, Output: $OUTPUT_EVENTS, Errors: $OUTPUT_ERRORS, Memory: $MEMORY_USAGE" >> $LOG_FILE

Alert on high error rate
if [ "$OUTPUT_ERRORS" -gt 100 ]; then
    echo "[$TIMESTAMP] ALERT: High error count: $OUTPUT_ERRORS" >> $LOG_FILE
fi

# Make script executable
sudo chmod 755 /usr/local/bin/filebeat-monitor.sh

Add to cron for regular monitoring
sudo crontab -e
Add this line:
/5    * /usr/local/bin/filebeat-monitor.sh

Set up log rotation for monitoring

Configure logrotate to manage Filebeat log files and prevent disk space issues.

/var/log/filebeat/filebeat {
    daily
    rotate 7
    copytruncate
    delaycompress
    compress
    notifempty
    missingok
    postrotate
        /bin/systemctl reload filebeat > /dev/null 2>&1 || true
    endscript
}

/var/log/filebeat-monitor.log {
    daily
    rotate 14
    compress
    delaycompress
    copytruncate
    notifempty
    missingok
}

Troubleshooting and optimization

Debug connection issues

Enable detailed logging to troubleshoot connectivity or parsing problems.

# Enable debug logging temporarily
sudo filebeat -e -d "*" -c /etc/filebeat/filebeat.yml

Check specific module debugging
sudo filebeat -e -d "harvester,publish" -c /etc/filebeat/filebeat.yml

Test specific log file parsing
sudo filebeat test inputs

Optimize for high-volume logging

Tune Filebeat settings for environments with high log volumes or strict performance requirements.

# High-volume optimization
queue.mem:
  events: 16384
  flush.min_events: 2048
  flush.timeout: 2s

output.elasticsearch:
  worker: 4
  bulk_max_size: 2048
  compression_level: 3
  template.settings:
    index.refresh_interval: "30s"
    index.number_of_shards: 2
    index.number_of_replicas: 0

Reduce harvester overhead
filebeat.inputs:
type: log  scan_frequency: 30s
  harvester_buffer_size: 32768
  max_bytes: 52428800  # 50MB

Common issues

Symptom	Cause	Fix
Filebeat won't start	Configuration syntax error	`sudo filebeat test config` to check syntax
No logs in Elasticsearch	Connection or auth failure	`sudo filebeat test output` and check credentials
High memory usage	Large queue or harvester settings	Reduce `queue.mem.events` and `harvester_buffer_size`
Missing log entries	File permissions or rotation	Check `sudo ls -la /var/log/` and add user to log groups
SSL certificate errors	Wrong CA or certificate path	Verify paths in `ssl.certificate_authorities` setting
Slow log processing	Insufficient workers or bulk size	Increase `output.elasticsearch.worker` and `bulk_max_size`

Next steps

Running this in production?

Want this handled for you? Setting up Filebeat once is straightforward. Keeping it patched, monitored, backed up and tuned across environments is the harder part. See how we run infrastructure like this for European SaaS and e-commerce teams.

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

# Default configuration
ELASTICSEARCH_HOST="${1:-localhost:9200}"
KIBANA_HOST="${2:-localhost:5601}"

# Cleanup function for rollback
cleanup() {
    echo -e "${RED}[ERROR] Installation failed. Cleaning up...${NC}"
    if systemctl is-active --quiet filebeat 2>/dev/null; then
        systemctl stop filebeat
    fi
    if systemctl is-enabled --quiet filebeat 2>/dev/null; then
        systemctl disable filebeat
    fi
}

trap cleanup ERR

# Usage function
usage() {
    echo "Usage: $0 [elasticsearch_host:port] [kibana_host:port]"
    echo "Example: $0 elasticsearch.example.com:9200 kibana.example.com:5601"
    exit 1
}

# Check if running as root or with sudo
if [[ $EUID -ne 0 ]]; then
    echo -e "${RED}[ERROR] This script must be run as root or with sudo${NC}"
    exit 1
fi

# Detect distribution
if [ -f /etc/os-release ]; then
    . /etc/os-release
    case "$ID" in
        ubuntu|debian) 
            PKG_MGR="apt"
            PKG_INSTALL="apt install -y"
            PKG_UPDATE="apt update"
            ;;
        almalinux|rocky|centos|rhel|ol|fedora) 
            PKG_MGR="dnf"
            PKG_INSTALL="dnf install -y"
            PKG_UPDATE="dnf update -y"
            ;;
        amzn) 
            PKG_MGR="yum"
            PKG_INSTALL="yum install -y"
            PKG_UPDATE="yum update -y"
            ;;
        *) 
            echo -e "${RED}[ERROR] Unsupported distribution: $ID${NC}"
            exit 1
            ;;
    esac
else
    echo -e "${RED}[ERROR] Cannot detect operating system${NC}"
    exit 1
fi

echo -e "${GREEN}[INFO] Installing Filebeat 8.15 for $PRETTY_NAME${NC}"
echo -e "${GREEN}[INFO] Elasticsearch: $ELASTICSEARCH_HOST${NC}"
echo -e "${GREEN}[INFO] Kibana: $KIBANA_HOST${NC}"

# Check prerequisites
echo -e "${YELLOW}[1/8] Checking prerequisites...${NC}"
command -v curl >/dev/null 2>&1 || $PKG_INSTALL curl
command -v gpg >/dev/null 2>&1 || $PKG_INSTALL gnupg

# Add Elastic repository
echo -e "${YELLOW}[2/8] Adding Elastic repository...${NC}"
if [[ "$PKG_MGR" == "apt" ]]; then
    # Debian/Ubuntu
    curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg
    chmod 644 /usr/share/keyrings/elastic-keyring.gpg
    echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" > /etc/apt/sources.list.d/elastic-8.x.list
    chmod 644 /etc/apt/sources.list.d/elastic-8.x.list
    $PKG_UPDATE
else
    # RHEL/CentOS/Rocky/Alma
    rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
    cat > /etc/yum.repos.d/elastic.repo << 'EOF'
[elastic-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
    chmod 644 /etc/yum.repos.d/elastic.repo
fi

# Install Filebeat
echo -e "${YELLOW}[3/8] Installing Filebeat 8.15...${NC}"
$PKG_INSTALL filebeat

# Backup original configuration
echo -e "${YELLOW}[4/8] Backing up configuration...${NC}"
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.backup

# Configure Filebeat
echo -e "${YELLOW}[5/8] Configuring Filebeat...${NC}"
cat > /etc/filebeat/filebeat.yml << EOF
# Filebeat configuration for ELK stack integration

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/*/*.log
  exclude_files: ['\.gz$']
  multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
  multiline.negate: true
  multiline.match: after

- type: syslog
  enabled: true
  protocol.udp:
    host: "127.0.0.1:9000"

output.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST}"]
  protocol: "https"
  ssl.verification_mode: certificate
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
  
setup.kibana:
  host: "${KIBANA_HOST}"
  protocol: "https"

processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0644

monitoring.enabled: true
monitoring.elasticsearch:
  hosts: ["${ELASTICSEARCH_HOST}"]
EOF

# Set proper permissions
chown root:root /etc/filebeat/filebeat.yml
chmod 600 /etc/filebeat/filebeat.yml

# Create certificates directory
mkdir -p /etc/filebeat/certs
chown root:root /etc/filebeat/certs
chmod 755 /etc/filebeat/certs

# Configure log directory
echo -e "${YELLOW}[6/8] Setting up logging...${NC}"
mkdir -p /var/log/filebeat
chown root:root /var/log/filebeat
chmod 755 /var/log/filebeat

# Configure SELinux if present
if command -v selinux-config-module >/dev/null 2>&1 && getenforce >/dev/null 2>&1; then
    echo -e "${YELLOW}[7/8] Configuring SELinux...${NC}"
    setsebool -P nis_enabled 1
    semanage port -a -t syslogd_port_t -p udp 9000 2>/dev/null || true
fi

# Enable and start Filebeat service
echo -e "${YELLOW}[8/8] Starting Filebeat service...${NC}"
systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

# Wait for service to start
sleep 5

# Verify installation
echo -e "${YELLOW}[INFO] Verifying installation...${NC}"

# Check service status
if systemctl is-active --quiet filebeat; then
    echo -e "${GREEN}[✓] Filebeat service is running${NC}"
else
    echo -e "${RED}[✗] Filebeat service failed to start${NC}"
    systemctl status filebeat --no-pager
    exit 1
fi

# Check configuration
if filebeat test config -c /etc/filebeat/filebeat.yml >/dev/null 2>&1; then
    echo -e "${GREEN}[✓] Configuration is valid${NC}"
else
    echo -e "${RED}[✗] Configuration validation failed${NC}"
    filebeat test config -c /etc/filebeat/filebeat.yml
    exit 1
fi

# Test output connectivity (basic check)
if filebeat test output -c /etc/filebeat/filebeat.yml >/dev/null 2>&1; then
    echo -e "${GREEN}[✓] Output connectivity test passed${NC}"
else
    echo -e "${YELLOW}[!] Output connectivity test failed - check Elasticsearch connection${NC}"
    echo -e "${YELLOW}[!] This is expected if Elasticsearch is not yet configured with SSL certificates${NC}"
fi

echo -e "${GREEN}[SUCCESS] Filebeat 8.15 installation completed!${NC}"
echo -e "${GREEN}[INFO] Configuration file: /etc/filebeat/filebeat.yml${NC}"
echo -e "${GREEN}[INFO] Log files: /var/log/filebeat/${NC}"
echo -e "${GREEN}[INFO] Service status: systemctl status filebeat${NC}"
echo -e "${YELLOW}[NOTE] Remember to:${NC}"
echo -e "${YELLOW}  1. Configure SSL certificates in /etc/filebeat/certs/${NC}"
echo -e "${YELLOW}  2. Update Elasticsearch and Kibana connection settings${NC}"
echo -e "${YELLOW}  3. Customize log paths in filebeat.yml as needed${NC}"
echo -e "${YELLOW}  4. Run 'filebeat setup' after Elasticsearch is ready${NC}"

Review the script before running. Execute with: bash install.sh

#filebeat #elasticsearch #log shipping #elk stack #centralized logging

Install and configure Filebeat 8.15 for efficient log shipping to ELK stack

Prerequisites

What this solves

Step-by-step installation

Add Elastic repository and GPG key

Install Filebeat 8.15

Configure basic Filebeat settings

Output configuration

Processor configuration

Logging configuration

Configure SSL/TLS security

Set up log collection modules

Enable nginx module

Enable apache module (if needed)

List enabled modules

Configure system module

Docs: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html

Configure Nginx module

Docs: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-nginx.html

Set up performance optimization

Resource limits

Registry settings for large file tracking

Harvester settings

Monitor file system changes

Configure monitoring and metrics

HTTP endpoint for metrics

Metrics collection

Set proper file permissions

Set secure permissions

Test configuration and setup index template

Test Elasticsearch connection

Setup index template and pipelines

Load Kibana dashboards (optional)

Enable and start Filebeat service

Check service status

Check initial logs

Verify your setup

View recent logs

Check registry for tracked files

Monitor metrics endpoint

Verify data in Elasticsearch

Check index patterns

Monitor Filebeat performance

Create performance monitoring script

Filebeat performance monitoring script

Get metrics

Extract key values

Log metrics with timestamp

Alert on high error rate

Add to cron for regular monitoring

Add this line:

Set up log rotation for monitoring

Troubleshooting and optimization

Debug connection issues

Check specific module debugging

Test specific log file parsing

Optimize for high-volume logging

Reduce harvester overhead

Common issues

Next steps

Running this in production?

Related tutorials

Configure custom SNMP MIBs for vendor-specific monitoring with SNMP v2c and v3

Setup Prometheus Blackbox Exporter for endpoint monitoring with SSL and alerting

Configure Prometheus alerting with AlertManager notifications and webhook integration

Don't want to manage this yourself?