5. Installing FileBeat

FileBeat should be configured to run against an Elasticsearch node of the same version.

Binary install

Download and install the Public Signing Key:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

Install the apt-transport-https package on Debian before proceeding

sudo apt-get install apt-transport-https

Save the repository definition to /etc/apt/sources.list.d/elastic-6.x.list

echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list

Update the repository

sudo apt-get update

List the available versions of FileBeat

sudo apt-cache policy filebeat

Install the needed version

sudo apt-get install filebeat=6.0.1

Set up the Kibana's dashboards

The dashboards are located in /usr/share/filebeat/kibana/default/dashboard

sudo filebeat setup -e
or sudo filebeat setup --dashboards
or filebeat setup -E "setup.dashboards.directory=/usr/share/filebeat/kibana"

If logstash output is already enabled and the elasticsearch output disabled in the /etc/filebeat/filebeat.yml

filebeat setup --dashboards -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'

This last step is optional since there is no way for the moment to import properly dashboard templates in Kibana since the fields names of the indices have to match exactly the ones of the Kibana visualizations.

Container install

The Elastic documentation is self-explanatory :
https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html

Configuration files

Configuration file path

Rpm and deb
/etc/filebeat/filebeat.yml

Docker
/usr/share/filebeat/filebeat.yml

You can find useful configuration files templates on the Filebeat directory of this Github:
https://github.com/Alexandre-Guth/Elastic-Stack-FileBeat-Logspout/tree/master/FileBeat