Install Filebeat

Learn how to install and uninstall Filebeat.

Filebeat version

This documentation pertains to Filebeat release 1.2.3 and Filebeat release 5.2.0 on Linux.

No other release versions of Filebeat have been validated with Axway Decision Insight.

Installation

  1. Download the binary format corresponding to your operating system from https://www.elastic.co/downloads/beats/filebeat.
    1. For Linux, you need to select distribution LINUX 32-BIT (for 32bits systems) or LINUX 64-BIT (for 64bits systems). Do not use DEB or RPM distributions as the artifacts will be installed elsewhere and this will make the following configuration more complex.
  2. Install the program by uncompressing the archive in directory <install dir>.
  3. Then Configure Filebeat as needed.

Console mode execution

In this mode, Filebeat is started in interactive (console) mode. You can use this mode when doing quick tests of the configuration.

To start Filebeat, go to the installation directory and execute:

cd <install dir>
./filebeat -c <filebeat.yml>
  • Where <filebeat.yml> is the YAML configuration file for Filebeat. See Configure Filebeat.

More startup options are detailed in the command line parameters page.

To stop Filebeat, interrupt the process with CRTL+C or close the console.

Service mode execution

In this mode, Filebeat is started in non-interactive mode. It can be configured to start with the server.

Configuration

Register the service

As user root (or doing the operations with the sudo command):

  1. Copy the following content in a new file /etc/init.d/filebeat-sc:

    /etc/init.d/filebeat-sc
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides: Filebeat
    # Required-Start: $local_fs $network $named $time $syslog
    # Required-Stop: $local_fs $network $named $time $syslog
    # Default-Start: 3 2 5 4
    # Default-Stop: 0 1 6
    # Short-Description: Filebeat
    # Description: Filebeat
    ### END INIT INFO
    
    USER=root
    INSTALL_DIR=<install directory>
    CONFIGURATION_FILE=${INSTALL_DIR}/filebeat.yml
    
    ##############################
    # DO NOT MODIFY PAST THIS LINE
    ##############################
    
    PID=$(pgrep -u $USER -x filebeat)
    
    start() {
        echo "Starting Filebeat"
        if kill -0 $PID 2> /dev/null; then
            echo "Service already running" >&2
            return 1
        else
            su --login $USER --shell /bin/sh --command "cd ${INSTALL_DIR} && ./filebeat -c ${CONFIGURATION_FILE} > /dev/null 2>&1 &"
            return 0
        fi
    }
    
    stop() {
        echo "Stopping Filebeat"
        if kill -0 $PID 2> /dev/null; then
            return $(kill $PID)
        else
            echo "Service Filebeat is not running" >&2
            return 1
        fi
    }
    
    status() {
        if kill -0 $PID 2> /dev/null; then
            echo "Service Filebeat is running"
            return 0
        else
            echo "Service Filebeat is not running"
            return 1
        fi
    }
    
    case "$1" in
        start)
            start
            ;;
        stop)
            stop
            ;;
        restart)
            stop
            sleep 10
            start
            ;;
        status)
            status
            ;;
        *)
            echo "Usage: $0 {start|stop|restart|status}"
            exit 2
            ;;
    esac
    
  2. Change the following lines:

    1. Line 12: set the account that executes Filebeat. By default it is executed with root privileges.

      /etc/init.d/filebeat-sc
      USER=<Filebeat account>
    2. Line 13: set the directory where you have installed Filebeat

      /etc/init.d/filebeat-sc
      INSTALL_DIR=<install dir>
    3. Line 14: change the path of the Filebeat configuration file if you have used a different file. Please not that this must be the full path of the configuration file.

      /etc/init.d/filebeat-sc
      CONFIGURATION_FILE=/opt/my-environment/conf/my-filebeat-configuration.yml
  3. Make it executable with:

    chmod +x /etc/init.d/filebeat-sc
  4. Register the service:
    1. For Ubuntu, execute:

      update-rc.d filebeat-sc default 99 01
    2. For Red Hat Enterprise Linux, execute:

      chkconfig --add filebeat-sc
    3. For SUSE, execute:

      chkconfig --add filebeat-sc
    4. For Oracle Linux, execute:

      chkconfig --add filebeat-sc

Resources consumption

The hardware resources consumed by Filebeat can get quite high if Filebeat needs to concurrently monitor a large number of files. This typically happens during an initial provisioning or after a crash recovery.

It is important to properly evaluate and configure the system resources that Filebeat should be allowed. Thus these OS limits need to be properly configured :

  • number of open files (ulimit -n)

  • number of threads (ulimit -u)

  • virtual memory consumption (ulimit -v)

  • the swap size (grep SwapTotal /proc/meminfo)

Unregister the service

As user root (or doing the operations with the sudo command):

  1. For Ubuntu, execute:

    update-rc.d filebeat-sc remove
  2. For Red Hat Enterprise Linux, execute:

    chkconfig --del filebeat-sc
  3. For SUSE, execute:

    chkconfig --del filebeat-sc
  4. For Oracle Linux, execute:

    chkconfig --del filebeat-sc

Start

As user root (or using the sudo command), execute:

service filebeat-sc start

Stop

As user root (or using the sudo command), execute:

service filebeat-sc stop

Status

As user root (or using the sudo command), execute:

service filebeat-sc status

Uninstall

To remove Filebeat, do the following:

  1. Stop the service (see above)

  2. As user root (or using the sudo command), execute:

    rm /etc/init.d/filebeat-sc
  3. Remove the directory where you have installed Filebeat

    rm -r <install dir>

Related Links