# Filebeat config for shipping mail-stack logs to ELK. # # Stack we ship: # - Flask gunicorn access/error → /var/log/mail-flask.log # - Dramatiq worker → /var/log/mail-dramatiq.log # - Backup cron → /var/log/mail-backup.log # - DMS (Postfix/Dovecot) → docker logs / docker-mailserver-1 host log # # Output: Logstash on ${ELK_HOST}:5044 (Beats input, lumberjack). # Override via env vars in /etc/default/filebeat or via templating. filebeat.inputs: - type: filestream id: mail-flask paths: - /var/log/mail-flask.log parsers: - ndjson: target: "" overwrite_keys: true ignore_decoding_error: true fields: service: mail-flask environment: ${ENV:dev} fields_under_root: true - type: filestream id: mail-dramatiq paths: - /var/log/mail-dramatiq.log fields: service: mail-dramatiq environment: ${ENV:dev} fields_under_root: true - type: filestream id: mail-backup paths: - /var/log/mail-backup.log fields: service: mail-backup environment: ${ENV:dev} fields_under_root: true # Postfix + Dovecot through host file written by DMS volume mount. - type: filestream id: dms-mail paths: - /home/deeily/mail/docker/dms-data/logs/mail.log - /home/deeily/mail/docker/dms-data/logs/mail.err fields: service: dms environment: ${ENV:dev} fields_under_root: true processors: - add_host_metadata: ~ - add_fields: target: "" fields: host_role: mail-server - drop_fields: fields: ["agent.ephemeral_id", "ecs.version", "input.type", "log.flags"] ignore_missing: true # ── Output ───────────────────────────────────────────────────────────────── output.logstash: hosts: ["${ELK_HOST:logstash.internal}:${ELK_PORT:5044}"] # ssl.enabled: true # uncomment if Logstash uses TLS # ssl.certificate_authorities: ["/etc/filebeat/ca.crt"] # Альтернатива: прямо в Elasticsearch # output.elasticsearch: # hosts: ["https://${ELK_HOST:elastic.internal}:9200"] # username: "${ELASTIC_USER}" # password: "${ELASTIC_PASSWORD}" # ssl.verification_mode: full logging.level: info logging.to_files: true logging.files: path: /var/log/filebeat name: filebeat keepfiles: 5 permissions: 0640