BestHub
Sign in
Operations 7 min read

How to Use Filebeat for Efficient Log Collection and Multi‑Target Output

This guide explains how to install Filebeat, configure its built‑in modules, and set up outputs to files, Logstash, Elasticsearch, Redis, and multiple destinations, providing a lightweight, Java‑free solution for centralized log collection within an ELK architecture.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Use Filebeat for Efficient Log Collection and Multi‑Target Output

Filebeat Log Collection

Filebeat Overview

Filebeat ships with pre‑built modules that contain the ingest pipeline, Elasticsearch template, Filebeat prospectors and Kibana dashboards needed to collect, parse, enrich and visualize various log formats.

Modules provide a lightweight, single‑purpose log shipper that runs on servers without Java and can forward logs to Logstash, Elasticsearch, Redis and other destinations.

ELK Architecture

Filebeat Installation

Download the package from the official site: https://www.elastic.co/downloads/beats/filebeat

# 1. Download

# 2. Install
yum localinstall -y filebeat-5.6.16-x86_64.rpm

# 3. Backup original config
cp /etc/filebeat/filebeat.yml{,.bak}

Filebeat output to a file

# vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/blog.zls.com_access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: blog_ngx_log

- input_type: log
  paths:
    - /var/log/nginx/www.zls.com_access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: www_ngx_log

output.file:
  path: "/tmp"
  filename: "zls_filebeat.txt"

# Start Filebeat
systemctl start filebeat

Filebeat output to Logstash

Filebeat configuration

# vi /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/blog.zls.com_access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: ngx_zls

output.logstash:
  hosts: ["10.0.0.84:6666"]
  enabled: true
  worker: 1
  compression_level: 3
  # loadbalance: true

Logstash configuration

input{
  beats{
    port => "6666"
    codec => "json"
  }
}
filter{
  json{
    source => "message"
    remove_field => "message"
  }
}
output{
  elasticsearch{
    hosts => ["10.0.0.81:9200"]
    index => "%{type}-%{+yyyy.MM.dd}"
    codec => "json"
  }
}

Filebeat output to Elasticsearch

# vi /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/blog.zls.com_access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: ngx_zls

output.elasticsearch:
  hosts: ["10.0.0.81:9200"]
  index: "nginx_es-%{+yyyy.MM.dd}"

# Restart Filebeat
systemctl stop filebeat
rm -f /var/lib/filebeat/registry
systemctl start filebeat

Filebeat output to Redis

Filebeat configuration

# vi /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/blog.zls.com_access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: blog.zls.com_json

- input_type: log
  paths:
    - /var/log/nginx/www.zls.com_access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: www.zls.com_json

output.redis:
  hosts: ["10.0.0.52:6379"]
  key: "nginx_log"
  db: 6
  timeout: 5
  # password: zls

Logstash configuration

# vi /etc/logstash/conf.d/ngx_redis_es.conf
input{
  redis{
    data_type => "list"
    key => "nginx_log"
    host => "10.0.0.52"
    port => "6379"
    db => "6"
    codec => "json"
  }
}
filter{
  json{
    source => "message"
    remove_field => ["message"]
  }
}
output{
  elasticsearch{
    hosts => ["10.0.0.82:9200"]
    index => "%{type}-%{+yyyy.MM.dd}"
  }
}

Filebeat output to multiple targets

# vi /etc/filebeat/filebeat.yml
filebeat.prospectors:
- input_type: log
  paths:
    - /usr/local/nginx/logs/access_json.log
  exclude_lines: ["^DBG","^$"]
  document_type: ngx_log

- input_type: log
  paths:
    - /usr/local/tomcat/logs/tomcat_access_log.*.log
  exclude_lines: ["^DBG","^$"]
  document_type: tc_log

output.redis:
  hosts: ["10.0.0.54:6379"]
  key: "tn"
  db: 2
  timeout: 5
  password: zls

output.file:
  path: "/tmp"
  filename: "zls.txt"
  worker: 1
  compression_level: 3
  loadbalance: true
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

ElasticsearchredisDevOpsELKlog collectionLogstashFilebeat
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment