Skip to content

Commit

Permalink
Per module docs in Filebeat (#3598)
Browse files Browse the repository at this point in the history
* Document Filebeat modules
* Each module has to provide a docs.asciidoc file to be included
  in the docs
* Following the MB model, these are collected in the `docs/` folder
  on `make update`
* Structure wise, I added a "Modules" part which has an Overview section
  and then a section for each module
* Added docs.asciidoc to the module generator

Part of #3159.
  • Loading branch information
tsg authored and ruflin committed Feb 21, 2017
1 parent 99d01b7 commit 84361da
Show file tree
Hide file tree
Showing 20 changed files with 653 additions and 181 deletions.
9 changes: 8 additions & 1 deletion filebeat/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,16 @@ configs: python-env
. ${PYTHON_ENV}/bin/activate; python ${ES_BEATS}/metricbeat/scripts/config_collector.py --beat ${BEAT_NAME} --full $(PWD) >> _meta/beat.full.yml
cat ${ES_BEATS}/filebeat/_meta/common.full.p2.yml >> _meta/beat.full.yml

# Collects all module docs
.PHONY: collect-docs
collect-docs: python-env
-rm -rf docs/modules
mkdir -p docs/modules
. ${PYTHON_ENV}/bin/activate; python ${ES_BEATS}/filebeat/scripts/docs_collector.py --beat ${BEAT_NAME}

# Runs all collection steps and updates afterwards
.PHONY: collect
collect: fields kibana modules configs
collect: fields kibana modules configs collect-docs


# Creates a new fileset. Requires the params MODULE and FILESET
Expand Down
Binary file added filebeat/docs/images/kibana-apache2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added filebeat/docs/images/kibana-mysql.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added filebeat/docs/images/kibana-system.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions filebeat/docs/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ include::../../libbeat/docs/yaml.asciidoc[]

include::../../libbeat/docs/regexp.asciidoc[]

include::./modules.asciidoc[]

include::./fields.asciidoc[]

include::./securing-filebeat.asciidoc[]
Expand Down
184 changes: 184 additions & 0 deletions filebeat/docs/modules-overview.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,184 @@
[[filebeat-modules-overview]]
== Modules overview

beta[]

Filebeat modules simplify the collection, parsing, and visualization of common
log formats.

A typical module (say, for the Nginx logs) is composed of one ore
more filesets (in the case of Nginx, `access` and `error`). A fileset contains
the following:

* Filebeat prospector configurations, which contain the default paths where to
look or the log files. These default paths depend on the operating system.
The Filebeat configuration is also responsible with stitching together
multiline events when needed.

* Elasticsearch {elasticsearch}/ingest.html[Ingest Node] pipeline definition,
which is used to parse the log lines.

* Fields definitions, which are used to configure Elasticsearch with the
correct types for each field. They also contain short descriptions for each
of the fields.

* Sample Kibana dashboards, which can be used to visualize the log files.

Filebeat automatically adjusts these configurations based on your environment
and loads them to the respective Elastic stack components.

NOTE: At the moment, Filebeat modules require using the Elasticsearch
{elasticsearch}/ingest.html[Ingest Node]. In the future, Filebeat Modules will
be able to also configure Logstash as a more powerful alternative to Ingest
Node.

=== Tutorial

This tutorial assumes you have Elasticsearch and Kibana installed and
accessible from Filebeat (see the <<filebeat-getting-started,getting started>>
section). It also assumes that the Ingest Node GeoIP and User Agent plugins are
installed, which you can do with the following two commands executed in the
Elasticsearch home path:

[source,shell]
----------------------------------------------------------------------
$ sudo bin/elasticsearch-plugin install ingest-geoip
$ sudo bin/elasticsearch-plugin install ingest-user-agent
----------------------------------------------------------------------

You need to restart Elasticsearch after running these commands.

If you are using an https://cloud.elastic.co/[Elastic Cloud] instance, you can
enable the two plugins from the configuration page.

This also assumes you have Nginx installed and writing logs in the default
location and format. If you want to monitor another service for which a module
exists, feel free to adjust the tutorial.

You can start Filebeat with the following command:

[source,shell]
----------------------------------------------------------------------
$ filebeat -e -modules=nginx -setup
----------------------------------------------------------------------

The `-e` flag tells Filebeat to output its logs to standard error, instead of
syslog.

The `-modules=nginx` flag loads the Nginx module.

The `-setup` flag tells Filebeat to load the associated sample Kibana
dashboards. This setup phase, in which the dashboards are loaded, doesn't have
to be executed each time, and because it's a relatively heavy operation, we
recommend executing it only once after installing or upgrading Filebeat. That
is why, the next commands from this tutorial are omitting the `-setup` flag.

Visiting the Kibana web interface now, open the Nginx dashboard and you should
already see your logs parsed and visualized in several widgets.

image:./images/kibana-nginx.png[]

You can also start multiple modules at once:

[source,shell]
----------------------------------------------------------------------
$ filebeat -e -modules=nginx,mysql,system
----------------------------------------------------------------------

While enabling the modules from the CLI file is handy for getting started and
for testing, you will probably want to use the configuration file for the
production setup. The equivalent of the above in the configuration file is:


[source,yaml]
----------------------------------------------------------------------
modules:
- name: nginx
- name: mysql
- name: syslog
----------------------------------------------------------------------

Then you can start Filebeat simply with: `./filebeat -e`.

==== Variable overrides

Each module and fileset has a set of "variables" which allow adjusting their
behaviour. To see the available variables, you can consult the
`filebeat.full.yml` file. For example, all filesets allow setting a custom
`paths` value, which is a list of Globs where the log files are searched.

These variables have default values, sometimes depending on the operating
system. You can override them either from the CLI via the `-M` flag, or from
the configuration file.

In the case of Nginx, for example, you can use the following if the access
files are in a custom location:

[source,shell]
----------------------------------------------------------------------
$ filebeat -e -modules=nginx -M "nginx.access.var.paths=[/opt/apache2/logs/access.log*]"
----------------------------------------------------------------------

Or via the configuration file:

[source,yaml]
----------------------------------------------------------------------
modules:
- name: nginx
access:
var.paths = ["/opt/apache2/logs/access.log*"]
----------------------------------------------------------------------

The Nginx `access` fileset also has a `pipeline` variables which allows
selecting which of the available Ingest Node pipelines is used for parsing. At
the moment, two such pipelines are available, one that requires the two ingest
plugins (`ingest-geoip` and `ingest-user-agent`) and one that doesn't. If you
cannot install the plugins, you can use the following:


[source,shell]
----------------------------------------------------------------------
$ filebeat -e -modules=nginx -M "nginx.access.var.pipeline=no_plugins"
----------------------------------------------------------------------

==== Advanced settings

Behind the scenes, each module starts a Filebeat prospector. For advanced
users, it's possible to add or overwrite any of the prospector settings. For
example, enabling <<close-eof,close_eof>> can be done like this:


[source,yaml]
----------------------------------------------------------------------
modules:
- name: nginx
access:
prospector:
close_eof: true
----------------------------------------------------------------------

Or like this:


[source,shell]
----------------------------------------------------------------------
$ filebeat -e -modules=nginx -M "nginx.access.prospector.close_eof=true"
----------------------------------------------------------------------

From the CLI, it's possible to change variables or settings for multiple
modules/fileset at once. For example, the following works and will enable
`close_eof` for all the filesets in the nginx module:

[source,shell]
----------------------------------------------------------------------
$ filebeat -e -modules=nginx -M "nginx.*.prospector.close_eof=true"
----------------------------------------------------------------------

The following also works and will enable `close_eof` for all prospectors
created by any of the modules:

[source,shell]
----------------------------------------------------------------------
filebeat -e -modules=nginx,mysql -M "*.*.prospector.close_eof=true"
----------------------------------------------------------------------

Loading

0 comments on commit 84361da

Please sign in to comment.