Beaver ~ A Light Logstash Shipper

Beaver ~ A Light Logstash Shipper

The ELK stack has long been a useful tool for sysadmins but apache error logs have the awful habit of requiring either shipped to a local file or to syslog. They don’t support piping to a program like their access_log counterparts. I’d tried the syslog route but trying to discern who shipped the log and search for it was tricky at best. I’d been looking around for sometime for a decent one with many available out there settled on beaver for its simplicity and ease of installation.

System Config Ubuntu 14.04 Ubuntu system python

Install You can install it by hand following the steps below or you can install it using the saltstack formula over at

Logstash Config
# Config logstash
# in your logstash config file
# in the input section
 tcp {
 port => 57084
 type => "beaver"

# in the filter section
if [type] == "beaver" {
 source => message
# restart logstash
service logstash restart
Manual Install
pip install beaver==36.2.0
mkdir -p /etc/beaver/conf.d
echo "[beaver]
format: json
# required for logstash, set to 0 if logstash < 1.2
logstash_version: 1
queue_timeout: 60
# lots of transport options, pick your poison
transport: tcp
tcp_host: $LOGHOST
tcp_port: 57084" > /etc/beaver/beaver.conf
# a sample log monitoring config
echo "[/var/log/mail.log]
type: mail-log
tags: mail" > /etc/beaver/conf.d/mail.conf

# start beaver
beaver -c /etc/beaver/beaver.conf -C /etc/beaver/conf.d
# You will need to write an upstart or copy the init.d script from and configure it
Salt Install
Add as a gitfs endpoint see 
# For states that you're looking to add log monitoring to
  - beaver
# Add the log file beaver config
/etc/beaver/conf.d/vhost-{{ vhost['servername'] }}.conf:
    - managed
    - source: salt://apache-vhosts/beaver-error.conf
    - user: root
    - group: root
    - mode: 0644
    - template: jinja
    - backup: minion
    - require: 
      - file: /etc/beaver/conf.d
    - context:
      servername: {{ vhost['servername'] }}
      apacheenv: {{ pillar['apacheenv'] }}
# add the beaver file template
cat apache-vhosts/beaver-error.conf 
type: apache-error
tags: {{apacheenv}},{{servername}}
# add the pillar data
      transport: tcp
      tcp_port: 57084
      tcp_host: $LOGHOST
      logstash_version: 1
      output: json
# once that is in place you should be able to deploy the config and see beaver installed and configured for the logging expected.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.