Skip to main content

Beats

MacOS or Linux

This document describes the way to get logs from your system to Logz.io using any of the Beats shippers.

Configure your Beats shipper on macOS or Linux

Before you begin, you'll need:

  • Any Beats shipper installed on your machine. This includes Filebeat, Auditbeat, Functionbeat, Heartbeat, Journalbeat or Packetbeat. Logz.io recommends that you use the latest stable version.
  • Destination port 5015 open to outgoing traffic.
Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure your Beats shipper using the configuration file.

note

Filebeat requires a file extension specified for the log input.

  1. Open the configuration file for your Beats shipper.

  2. Add the following to the inputs section:

      fields:
    logzio_codec: <plain> or <json>
    token: <<LOG-SHIPPING-TOKEN>>
    type: <LOGTYPE>
    fields_under_root: true
    encoding: utf-8
    ignore_older: 3h
  3. Specify the log file format in the logzio_codec field. It can be plain or json.

  4. Specify your Logz.io log shipping token in the token field. You can see the token by navigating to your Logz.io account and selecting Settings > Manage tokens > Data shipping tokens.

  5. Select the log type from the list or select Other and give it a name of your choice to specify a custom log type.

    • If you select a log type from the list, the logs will be automatically parsed and analyzed. List of types available for parsing by default.
    • If you select Other, contact support to request custom parsing assistance. Don’t be shy, it’s included in your plan!
  6. Add the following to the outputs section:

    output:
    logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]
    ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
  7. Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

  8. Save the changes.

Validate the configuration file

It's a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.

Start your Beats shipper

Start or restart your Beats shipper for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see log shipping troubleshooting.

Windows

This document describes the way to get logs from your system to Logz.io using any of the Beats shippers.

Configure your Beats shipper on Windows

Before you begin, you'll need:

  • Any Beats shipper installed on your machine. This includes Filebeat, Auditbeat, Functionbeat, Heartbeat, Journalbeat, Packetbeat or Winlogbeat. Logz.io recommends that you use the latest stable version.
  • Destination port 5015 open to outgoing traffic.

Download the Logz.io public certificate

note

Filebeat requires a file extension specified for the log input.

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

Download the Logz.io public certificate to C:\ProgramData\<YOUR SHIPPER NAME>\Logzio.crt on your machine.

Configure your Beats shipper using the dedicated Logz.io configuration wizard

Log into your Logz.io account, and go to the Filebeat log shipping page to use the dedicated Logz.io Filebeat configuration wizard. It's the simplest way to configure Filebeat for your use case.

Configure your Beats shipper using the configuration file.

  1. Open the configuration file for your Beats shipper.

  2. Add the following to the inputs section:

      fields:
    logzio_codec: <plain> or <json>
    token: <<LOG-SHIPPING-TOKEN>>
    type: <LOGTYPE>
    fields_under_root: true
    encoding: utf-8
    ignore_older: 3h
  3. Specify the log file format in the logzio_codec field. It can be plain or json.

  4. Specify your Logz.io log shipping token in the token field. You can see the token by navigating to your Logz.io account and selecting Settings > Manage tokens > Data shipping tokens.

  5. Select the log type from the list or select Other and give it a name of your choice to specify a custom log type.

    • If you select a log type from the list, the logs will be automatically parsed and analyzed. List of types available for parsing by default.
    • If you select Other, contact support to request custom parsing assistance. Don’t be shy, it’s included in your plan!
  6. Add the following to the outputs section:

    output:
    logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]
    ssl:
    certificate_authorities: ['C:\ProgramData\<YOUR SHIPPER NAME>\Logzio.crt']
  1. Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
  2. Save the changes.

Validate the configuration file

It's a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.

Start your Beats shipper

Start or restart your Beats shipper for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see log shipping troubleshooting.

Beat shippers make use of modules to ship data from various sources. Refer to the list below to see what modules each of the shippers support.