54 lines
2.5 KiB
Text
54 lines
2.5 KiB
Text
//////////////////////////////////////////////////////////////////////////
|
|
//// This content is shared by all Elastic Beats. Make sure you keep the
|
|
//// descriptions here generic enough to work for all Beats that include
|
|
//// this file. When using cross references, make sure that the cross
|
|
//// references resolve correctly for any files that include this one.
|
|
//// Use the appropriate variables defined in the index.asciidoc file to
|
|
//// resolve Beat names: beatname_uc and beatname_lc.
|
|
//// Use the following include to pull this content into a doc file:
|
|
//// include::../../libbeat/docs/shared-logstash-config.asciidoc[]
|
|
//////////////////////////////////////////////////////////////////////////
|
|
|
|
[IMPORTANT]
|
|
.Prerequisite
|
|
To send events to {ls}, you also need to create a {ls} configuration pipeline
|
|
that listens for incoming Beats connections and indexes the received events into
|
|
{es}. For more information, see the section about
|
|
{stack-gs}/get-started-elastic-stack.html#logstash-setup[configuring {ls}] in
|
|
the {stack} getting started tutorial. Also see the documentation for the
|
|
{logstash-ref}/plugins-inputs-beats.html[{beats} input] and
|
|
{logstash-ref}/plugins-outputs-elasticsearch.html[{es} output] plugins.
|
|
|
|
If you want to use {ls} to perform additional processing on the data collected by
|
|
{beatname_uc}, you need to configure {beatname_uc} to use {ls}.
|
|
|
|
To do this, you edit the {beatname_uc} configuration file to disable the Elasticsearch
|
|
output by commenting it out and enable the {ls} output by uncommenting the
|
|
logstash section:
|
|
|
|
[source,yaml]
|
|
------------------------------------------------------------------------------
|
|
#----------------------------- Logstash output --------------------------------
|
|
output.logstash:
|
|
hosts: ["127.0.0.1:5044"]
|
|
------------------------------------------------------------------------------
|
|
|
|
The `hosts` option specifies the {ls} server and the port (`5044`) where {ls} is configured to listen for incoming
|
|
Beats connections.
|
|
|
|
For this configuration, you must <<load-template-manually,load the index template into Elasticsearch manually>>
|
|
because the options for auto loading the template are only available for the Elasticsearch output.
|
|
|
|
ifdef::allplatforms[]
|
|
|
|
include::../../libbeat/docs/step-test-config.asciidoc[]
|
|
|
|
endif::allplatforms[]
|
|
|
|
ifdef::win[]
|
|
|
|
TIP: To test your configuration file, change to the directory where the {beatname_uc}
|
|
binary is installed, and run {beatname_uc} in the foreground with the following
|
|
options specified: +.\winlogbeat.exe test config -c .\winlogbeat.yml -e+.
|
|
|
|
endif::win[]
|