The objective of this repo is to learn how to integrate Kafka with the ELK Stack using FileBeat. Below is the event flow we'll be implementing: Log files -> FileBeat -> Kafka -> Logstash -> Elasticsearch -> Kibana

Versions:

FileBeat 5.2.2

Kafka 0.10.0.1

Logstash 5.2.2

Elasticsearch 5.2.2

Kibana 5.2.2

All of these were installed on the same machine localhost.

1). Filebeat -> We will be gathering the default logs - /var/log/*.log specified in filebeat.yml

Add following lines in the output section of filebeat.yml file :

output.kafka:

 enabled: true

 hosts: ["localhost:9092"]

 topic: test

 compression: none

This will send events to Kafka port 9092 on topic test. Start Filebeat depending on the package/OS you have, more details -> https://www.elastic.co/guide/en/beats/filebeat/current/directory-layout.html

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-command-line.html

2). Kafka -> Start the Kafka server and zookeeper using below commands:

(https://kafka.apache.org/0100/documentation.html)

bin/kafka-server-start.sh config/server.properties

bin/zookeeper-server-start.sh config/zookeeper.properties

Create a topic called test ->

bin/kafka-topics.sh --create --zookeeper localhost:2181 --replication-factor 1 --partitions 1 --topic test

Filebeat will act as a producer. Start a console consumer as a test to see if you are able to consume those events:

bin/kafka-console-consumer.sh --zookeeper localhost:2181 --topic test --from-beginning

At this point, you should be able to see lots of events in the console consumer. This test confirms that the setup is working fine so far.

3). Logstash -> We will use Kafka input plugin in this case. Create logstash.conf file and add below lines :

input {

        kafka {

                topics => "test"
    
              }
       }

 output {
    
          stdout { codec => rubydebug }
        }

Start Logstash specifying the above logstash.conf file. This will start consuming events from test topic. You should see lots of log files in the Logstash command line. Again the idea here is to make sure that Logstash is receiving and sending out those events as expected.

4). Now start setting up Logstash to send to Elasticsearch

Add following lines in the logstash.conf output part ->

elasticsearch {
               hosts => "localhost:9200"
               index => "filebeat"
               }

This will send events to elasticsearch on the localhost and create the index filebeat.

Make sure to start elasticsearch and Kibana at this point.

5). Login to Kibana and create Index Pattern filebeat (uncheck the timestamp). Click on Discover to see the received events. Check the attached screenshot for a sample output.