Guided configuration

Before you begin, you’ll need: Filebeat 7, root access

Configure Vault for raw log output

Start or restart Vault, enabling raw log output to the default location.

Raw log output disables log hashing so Filebeat can read the log files.

vault audit enable file file_path=/var/log/vault_audit.log log_raw=true

For more information on logging and enabling audit devices, see File Audit Device from HashiCorp.

Download the Logz.io certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo wget https://raw.githubusercontent.com/logzio/public-certificates/master/COMODORSADomainValidationSecureServerCA.crt -P /etc/pki/tls/certs/
Create your configuration file for Vault

The Filebeat configuration file is at /etc/filebeat/filebeat.yml by default.

To avoid conflicts with fields from other log sources, you’ll need to run a dedicated Filebeat instance for Vault logs. This allows Filebeat to rename some fields to keep Vault logs compatible with Logz.io.

Replace <<SHIPPING-TOKEN>> with the token of the account you want to ship to.
Replace <<LISTENER-HOST>> with your region’s listener host (for example, listener.logz.io). For more information on finding your account’s region, see Account region.

# ...
filebeat.inputs:
- type: log

  paths:
  - /var/log/vault_audit.log

    # Your Logz.io account token. You can find your token at
    #  https://app.logz.io/#/dashboard/settings/manage-accounts
    token: <<SHIPPING-TOKEN>>
    logzio_type: vault
  fields_under_root: true
  json.keys_under_root: true
  encoding: utf-8
  ignore_older: 3h

filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
    fields:
    - from: "agent"
      to: "filebeat_agent"
    ignore_missing: true
- rename:
    fields:
    - from: "log.file.path"
      to: "source"
    ignore_missing: true
- rename:
  fields:
  - from: "type"
    to: "hashi_type"
  ignore_missing: true
- rename:
  fields:
  - from: "logzio_type"
    to: "type"
  ignore_missing: true

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Start Filebeat

Start or restart Filebeat for the changes to take effect.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.