#=========================== Filebeat inputs ============================= # List of inputs to fetch data. filebeat.inputs: # Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations. # Below are the input specific configurations. # Type of the files. Based on this the way the file is read is decided. # The different types cannot be mixed in one input # # Possible options are: # * log: Reads every line of the log file (default) # * stdin: Reads the standard in #------------------------------ Log input -------------------------------- - type: log # Change to true to enable this input configuration. enabled: false # Paths that should be crawled and fetched. Glob based paths. # To fetch all ".log" files from a specific level of subdirectories # /var/log/*/*.log can be used. # For each file found under this path, a harvester is started. # Make sure not file is defined twice as this can lead to unexpected behaviour. paths: - /var/log/*.log #- c:\programdata\elasticsearch\logs\* # Configure the file encoding for reading files with international characters # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding). # Some sample encodings: # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk, # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ... #encoding: plain # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. The include_lines is called before # exclude_lines. By default, no lines are dropped. #exclude_lines: ['^DBG'] # Include lines. A list of regular expressions to match. It exports the lines that are # matching any regular expression from the list. The include_lines is called before # exclude_lines. By default, all the lines are exported. #include_lines: ['^ERR', '^WARN'] # Exclude files. A list of regular expressions to match. Filebeat drops the files that # are matching any regular expression from the list. By default, no files are dropped. #exclude_files: ['.gz$'] # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: # level: debug # review: 1 # Set to true to store the additional fields as top level fields instead # of under the "fields" sub-dictionary. In case of name conflicts with the # fields added by Filebeat itself, the custom fields overwrite the default # fields. #fields_under_root: false # Ignore files which were modified more then the defined timespan in the past. # ignore_older is disabled by default, so no files are ignored by setting it to 0. # Time strings like 2h (2 hours), 5m (5 minutes) can be used. #ignore_older: 0 # How often the input checks for new files in the paths that are specified # for harvesting. Specify 1s to scan the directory as frequently as possible # without causing Filebeat to scan too frequently. Default: 10s. #scan_frequency: 10s # Defines the buffer size every harvester uses when fetching the file #harvester_buffer_size: 16384 # Maximum number of bytes a single log event can have # All bytes after max_bytes are discarded and not sent. The default is 10MB. # This is especially useful for multiline log messages which can get large. #max_bytes: 10485760 ### Recursive glob configuration # Expand "**" patterns into regular glob patterns. #recursive_glob.enabled: true ### JSON configuration # Decode JSON options. Enable this if your logs are structured in JSON. # JSON key on which to apply the line filtering and multiline settings. This key # must be top level and its value must be string, otherwise it is ignored. If # no text key is defined, the line filtering and multiline features cannot be used. #json.message_key: # By default, the decoded JSON is placed under a "json" key in the output document. # If you enable this setting, the keys are copied top level in the output document. #json.keys_under_root: false # If keys_under_root and this setting are enabled, then the values from the decoded # JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.) # in case of conflicts. #json.overwrite_keys: false # If this setting is enabled, Filebeat adds a "error.message" and "error.key: json" key in case of JSON # unmarshaling errors or when a text key is defined in the configuration but cannot # be used. #json.add_error_key: false ### Multiline options # Multiline can be used for log messages spanning multiple lines. This is common # for Java Stack Traces or C-Line Continuation # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [ #multiline.pattern: ^\[ # Defines if the pattern set under pattern should be negated or not. Default is false. #multiline.negate: false # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern # that was (not) matched before or after or as long as a pattern is not matched based on negate. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash #multiline.match: after # The maximum number of lines that are combined to one event. # In case there are more the max_lines the additional lines are discarded. # Default is 500 #multiline.max_lines: 500 # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event # Default is 5s. #multiline.timeout: 5s # Setting tail_files to true means filebeat starts reading new files at the end # instead of the beginning. If this is used in combination with log rotation # this can mean that the first entries of a new file are skipped. #tail_files: false # The Ingest Node pipeline ID associated with this input. If this is set, it # overwrites the pipeline option from the Elasticsearch output. #pipeline: # If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the # original for harvesting but will report the symlink name as source. #symlinks: false # Backoff values define how aggressively filebeat crawls new files for updates # The default values can be used in most cases. Backoff defines how long it is waited # to check a file again after EOF is reached. Default is 1s which means the file # is checked every second if new lines were added. This leads to a near real time crawling. # Every time a new line appears, backoff is reset to the initial value. #backoff: 1s # Max backoff defines what the maximum backoff time is. After having backed off multiple times # from checking the files, the waiting time will never exceed max_backoff independent of the # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log # file after having backed off multiple times, it takes a maximum of 10s to read the new line #max_backoff: 10s # The backoff factor defines how fast the algorithm backs off. The bigger the backoff factor, # the faster the max_backoff value is reached. If this value is set to 1, no backoff will happen. # The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached #backoff_factor: 2 # Max number of harvesters that are started in parallel. # Default is 0 which means unlimited #harvester_limit: 0 ### Harvester closing options # Close inactive closes the file handler after the predefined period. # The period starts when the last line of the file was, not the file ModTime. # Time strings like 2h (2 hours), 5m (5 minutes) can be used. #close_inactive: 5m # Close renamed closes a file handler when the file is renamed or rotated. # Note: Potential data loss. Make sure to read and understand the docs for this option. #close_renamed: false # When enabling this option, a file handler is closed immediately in case a file can't be found # any more. In case the file shows up again later, harvesting will continue at the last known position # after scan_frequency. #close_removed: true # Closes the file handler as soon as the harvesters reaches the end of the file. # By default this option is disabled. # Note: Potential data loss. Make sure to read and understand the docs for this option. #close_eof: false ### State options # Files for the modification data is older then clean_inactive the state from the registry is removed # By default this is disabled. #clean_inactive: 0 # Removes the state for file which cannot be found on disk anymore immediately #clean_removed: true # Close timeout closes the harvester after the predefined time. # This is independent if the harvester did finish reading the file or not. # By default this option is disabled. # Note: Potential data loss. Make sure to read and understand the docs for this option. #close_timeout: 0 # Defines if inputs is enabled #enabled: true #----------------------------- Stdin input ------------------------------- # Configuration to use stdin input #- type: stdin #------------------------- Redis slowlog input --------------------------- # Experimental: Config options for the redis slow log input #- type: redis #enabled: false # List of hosts to pool to retrieve the slow log information. #hosts: ["localhost:6379"] # How often the input checks for redis slow log. #scan_frequency: 10s # Timeout after which time the input should return an error #timeout: 1s # Network type to be used for redis connection. Default: tcp #network: tcp # Max number of concurrent connections. Default: 10 #maxconn: 10 # Redis AUTH password. Empty by default. #password: foobared #------------------------------ Udp input -------------------------------- # Experimental: Config options for the udp input #- type: udp #enabled: false # Maximum size of the message received over UDP #max_message_size: 10KiB #------------------------------ TCP input -------------------------------- # Experimental: Config options for the TCP input #- type: tcp #enabled: false # The host and port to receive the new event #host: "localhost:9000" # Character used to split new message #line_delimiter: "\n" # Maximum size in bytes of the message received over TCP #max_message_size: 20MiB # The number of seconds of inactivity before a remote connection is closed. #timeout: 300s # Use SSL settings for TCP. #ssl.enabled: true # List of supported/valid TLS versions. By default all TLS versions 1.0 up to # 1.2 are enabled. #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] # SSL configuration. By default is off. # List of root certificates for client verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL server authentication. #ssl.certificate: "/etc/pki/client/cert.pem" # Server Certificate Key, #ssl.key: "/etc/pki/client/cert.key" # Optional passphrase for decrypting the Certificate Key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections. #ssl.cipher_suites: [] # Configure curve types for ECDHE based cipher suites. #ssl.curve_types: [] # Configure what types of client authentication are supported. Valid options # are `none`, `optional`, and `required`. Default is required. #ssl.client_authentication: "required" #------------------------------ Syslog input -------------------------------- # Experimental: Config options for the Syslog input # Accept RFC3164 formatted syslog event via UDP. #- type: syslog #enabled: false #protocol.udp: # The host and port to receive the new event #host: "localhost:9000" # Maximum size of the message received over UDP #max_message_size: 10KiB # Accept RFC3164 formatted syslog event via TCP. #- type: syslog #enabled: false #protocol.tcp: # The host and port to receive the new event #host: "localhost:9000" # Character used to split new message #line_delimiter: "\n" # Maximum size in bytes of the message received over TCP #max_message_size: 20MiB # The number of seconds of inactivity before a remote connection is closed. #timeout: 300s # Use SSL settings for TCP. #ssl.enabled: true # List of supported/valid TLS versions. By default all TLS versions 1.0 up to # 1.2 are enabled. #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] # SSL configuration. By default is off. # List of root certificates for client verifications #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] # Certificate for SSL server authentication. #ssl.certificate: "/etc/pki/client/cert.pem" # Server Certificate Key, #ssl.key: "/etc/pki/client/cert.key" # Optional passphrase for decrypting the Certificate Key. #ssl.key_passphrase: '' # Configure cipher suites to be used for SSL connections. #ssl.cipher_suites: [] # Configure curve types for ECDHE based cipher suites. #ssl.curve_types: [] # Configure what types of client authentication are supported. Valid options # are `none`, `optional`, and `required`. Default is required. #ssl.client_authentication: "required" #------------------------------ Docker input -------------------------------- # Experimental: Docker input reads and parses `json-file` logs from Docker #- type: docker #enabled: false # Combine partial lines flagged by `json-file` format #combine_partials: true # Use this to read from all containers, replace * with a container id to read from one: #containers: # stream: all # can be all, stdout or stderr # ids: # - '*' #========================== Filebeat autodiscover ============================== # Autodiscover allows you to detect changes in the system and spawn new modules # or inputs as they happen. #filebeat.autodiscover: # List of enabled autodiscover providers # providers: # - type: docker # templates: # - condition: # equals.docker.container.image: busybox # config: # - type: log # paths: # - /var/lib/docker/containers/${data.docker.container.id}/*.log #========================= Filebeat global options ============================ # Name of the registry file. If a relative path is used, it is considered relative to the # data path. #filebeat.registry_file: ${path.data}/registry # The permissions mask to apply on registry file. The default value is 0600. # Must be a valid Unix-style file permissions mask expressed in octal notation. # This option is not supported on Windows. #filebeat.registry_file_permissions: 0600 # The timeout value that controls when registry entries are written to disk # (flushed). When an unwritten update exceeds this value, it triggers a write to # disk. When registry_flush is set to 0s, the registry is written to disk after # each batch of events has been published successfully. The default value is 0s. #filebeat.registry_flush: 0s # By default Ingest pipelines are not updated if a pipeline with the same ID # already exists. If this option is enabled Filebeat overwrites pipelines # everytime a new Elasticsearch connection is established. #filebeat.overwrite_pipelines: false # How long filebeat waits on shutdown for the publisher to finish. # Default is 0, not waiting. #filebeat.shutdown_timeout: 0 # Enable filebeat config reloading #filebeat.config: #inputs: #enabled: false #path: inputs.d/*.yml #reload.enabled: true #reload.period: 10s #modules: #enabled: false #path: modules.d/*.yml #reload.enabled: true #reload.period: 10s