0
0
Elasticsearchquery~10 mins

Beats (Filebeat, Metricbeat) in Elasticsearch - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Beats (Filebeat, Metricbeat)
Start Beats
Collect Data
Filebeat
Read Logs
Send Data to Elasticsearch
Data Indexed & Searchable
Beats start by collecting data: Filebeat reads log files, Metricbeat collects system metrics, then both send data to Elasticsearch for indexing.
Execution Sample
Elasticsearch
filebeat
metricbeat
Starts Filebeat to read logs and Metricbeat to collect metrics, sending data to Elasticsearch.
Execution Table
StepBeatActionData CollectedData Sent To
1FilebeatStarts reading log filesLog lines from /var/log/syslogElasticsearch
2MetricbeatStarts collecting system metricsCPU, Memory, Disk usageElasticsearch
3FilebeatSends collected logsBatch of log linesElasticsearch
4MetricbeatSends collected metricsBatch of system metricsElasticsearch
5ElasticsearchIndexes received dataLogs and metrics indexedReady for search
💡 Both Beats continue running, sending data continuously until stopped.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
Filebeat Logsemptylogs readlogs readlogs sentlogs sentcontinuous reading
Metricbeat Metricsemptyemptymetrics collectedmetrics collectedmetrics sentcontinuous collecting
Elasticsearch Indexemptyemptyemptylogs indexedlogs and metrics indexeddata searchable
Key Moments - 3 Insights
Why does Filebeat keep running after sending logs?
Filebeat continuously monitors log files for new entries, so it keeps running to send new logs as they appear (see execution_table rows 1,3).
How does Metricbeat know what metrics to collect?
Metricbeat uses predefined modules to collect specific system metrics like CPU and memory (see execution_table row 2).
What happens if Elasticsearch is down when Beats send data?
Beats will retry sending data and buffer it locally until Elasticsearch is available again, ensuring no data loss.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what data does Filebeat send at step 3?
AEmpty data
BCPU and Memory metrics
CBatch of log lines
DConfiguration files
💡 Hint
Check the 'Data Sent To' and 'Data Collected' columns at step 3 in the execution_table.
At which step does Metricbeat start sending data to Elasticsearch?
AStep 4
BStep 2
CStep 1
DStep 5
💡 Hint
Look for Metricbeat's 'Sends collected metrics' action in the execution_table.
If Filebeat stopped reading logs, which variable in variable_tracker would stop changing?
AMetricbeat Metrics
BFilebeat Logs
CElasticsearch Index
DNone
💡 Hint
Check the 'Filebeat Logs' row in variable_tracker to see what changes when logs are read.
Concept Snapshot
Beats are lightweight data shippers.
Filebeat reads and ships log files.
Metricbeat collects and ships system metrics.
Both send data to Elasticsearch.
Elasticsearch indexes data for search.
Beats run continuously to send new data.
Full Transcript
Beats like Filebeat and Metricbeat are small programs that collect data and send it to Elasticsearch. Filebeat reads log files continuously, while Metricbeat collects system metrics like CPU and memory usage. Both send their data in batches to Elasticsearch, which indexes it so you can search and analyze it. Beats keep running to send new data as it appears. If Elasticsearch is down, Beats will retry sending data to avoid loss.