Learn more about Streama© – the foundational technology behind our stateful streaming data platform. Learn More

Beats: Filebeat

Coralogix provides seamless integration with Filebeat so you can send your logs from anywhere and parse them according to your needs.


This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.

Cluster domaincoralogix.comapp.coralogix.incoralogix.us
SSL Certificateshttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crthttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN
Logstash server URLlogstashserver.coralogix.comlogstash.app.coralogix.inlogstashserver.coralogix.us


Private Key – A unique ID that represents your company. The private key can be found under ‘settings’->’ send your logs’. It is located in the upper left corner.

Company Id – A unique number which represents your company. You can get your company id from the settings tab in the Coralogix dashboard.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example, Backend servers, Middleware, Frontend servers, etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.


For a quick setup of Filebeat on your server, you can use prepared scripts.

Go to the folder with your Filebeat configuration file (filebeat.yml) and execute (as root):


$ curl -sSL https://raw.githubusercontent.com/coralogix/integrations-docs/master/integrations/filebeat/scripts/install-deb.sh | bash


$ curl -sSL https://raw.githubusercontent.com/coralogix/integrations-docs/master/integrations/filebeat/scripts/install-rpm.sh | bash

This script will install Filebeat on your machine, prepare configuration and download Coralogix SSL certificates.

Note: If you want to install a specific version of Filebeat you should pass version number with environment variable before script run:

$ export FILEBEAT_VERSION=6.6.2


Open your Filebeat configuration file and configure it to use Logstash (Make sure you disable Elasticsearchoutput). For more information about configuring Filebeat to use Logstash please refer to https://www.elastic.co/guide/en/beats/filebeat/current/config-filebeat-logstash.html

Point your Filebeat to output to Coralogix Logstash server (replace the Logstash Server URL with the corresponding entry from the table above):

Logstash Server URL:5044

or if you want to use an encrypted connection (recommended):

Logstash Server URL:5015

Here is a basic example of filebeat.yml:

#============================== Filebeat Inputs ===============================

- type: log
  - "/var/log/your_app/your_app.log"

fields_under_root: true

#----------------------------- Logstash output --------------------------------

  enabled: true
  hosts: ["Logstash server URL:5015"]
  tls.certificate_authorities: ["<path to folder with certificates>/ca.crt"]
  ssl.certificate_authorities: ["<path to folder with certificates>/ca.crt"]

Note: If you want to send all additional metadata, the fields_under_root option should be equals to true.

If you have multiline logs like:

2019-08-31 14:27:33 [main] ERROR Main - Exception
javax.management.RuntimeErrorException: null
    at Main.main(Main.java:16) ~[bin/:na]

You can use multiline pattern:

- type: log
  - "/var/log/your_app/your_app.log"
    pattern: '^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} \['
    negate: true
    match: after

The pattern should match the beginning of each record.


Build a Docker image with your filebeat.yml:

FROM docker.elastic.co/beats/filebeat:6.6.2

LABEL description="Filebeat logs watcher"

# Adding configuration file and SSL certificates for Filebeat
COPY filebeat.yml /usr/share/filebeat/filebeat.yml
COPY ca.crt /etc/ssl/certs/Coralogix.crt

# Changing permission of configuration file
USER root
RUN chown root:filebeat /usr/share/filebeat/filebeat.yml

# Return to deploy user
USER filebeat

Before deploying your container don’t forget to mount volume with your logs.