For other versions, see theVersioned plugin docs.
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
This input plugin enables Logstash to receive events from theElastic Beats framework.
The following example shows how to configure Logstash to listen on port5044 for incoming Beats connections and to index into Elasticsearch.
input { beats { port => 5044 }}output { elasticsearch { hosts => "localhost:9200" manage_template => false index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" }}
Specifies the index to write events to. See Versioned Beats Indices formore about this setting. |
|
Starting with Logstash 6.0, the |
If you are shipping events that span multiple lines, you need touse the configuration options available in Filebeat to handle multiline eventsbefore sending the event data to Logstash. You cannot use theMultiline codec plugin to handle multiline events. Doing so willresult in the failure to start Logstash.
To minimize the impact of future schema changes on your existing indices andmappings in Elasticsearch, configure the Elasticsearch output to write toversioned indices. The pattern that you specify for the index
settingcontrols the index name:
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
%{[@metadata][beat]}
beat
metadata field, for example,
filebeat
.
%{[@metadata][version]}
7.0.1
.
%{+YYYY.MM.dd}
@timestamp
field.
This configuration results in daily index names likefilebeat-7.0.1-2019-05-02
.
This plugin supports the following configuration options plus the Common Options described later.
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
No |
||
No |
||
No |
||
Yes |
||
No |
||
a valid filesystem path |
No |
|
No |
||
No |
||
a valid filesystem path |
No |
|
No |
||
string, one of |
No |
|
No |
||
No |
||
No |
Also see Common Options for a list of options supported by allinput plugins.
The default value has been changed to false
. In 7.0.0 this setting will be removed
false
Flag to determine whether to add host
field to event using the value supplied by the beat in the hostname
field.
java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca
The list of ciphers suite to use, listed by priorities.
60
Close Idle clients after X seconds of inactivity.
true
The port to listen on.
false
Events are by default sent in plain text. You canenable encryption by setting ssl
to true and configuringthe ssl_certificate
and ssl_key
options.
SSL certificate to use.
[]
Validate client certificates against these authorities.You can define multiple files or paths. All the certificates willbe read and added to the trust store. You need to configure the ssl_verify_mode
to peer
or force_peer
to enable the verification.
10000
Time in milliseconds for an incomplete ssl handshake to timeout
SSL key to use.NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSLfor more information.
SSL key passphrase to use.
none
, peer
, force_peer
"none"
By default the server doesn’t do any client verification.
peer
will make the server ask the client to provide a certificate.If the client provides a certificate, it will be validated.
force_peer
will make the server ask the client to provide a certificate.If the client doesn’t provide a certificate, the connection will be closed.
This option needs to be used with ssl_certificate_authorities
and a defined list of CAs.
false
Enables storing client certificate information in event’s metadata.
This option is only valid when ssl_verify_mode
is set to peer
or force_peer
.
1.2
The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
1
The minimum TLS version allowed for the encrypted connections. The value must be one of the following:1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
The following configuration options are supported by all input plugins:
"plain"
The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.
true
Disable or enable metric logging for this specific plugin instanceby default we record all the metrics we can, but you can disable metrics collectionfor a specific plugin.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.It is strongly recommended to set this ID in your configuration. This is particularly usefulwhen you have two or more plugins of the same type, for example, if you have 2 beats inputs.Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
input { beats { id => "my_plugin_id" }}
Add any number of arbitrary tags to your event.
This can help with processing later.
Add a type
field to all events handled by this input.
Types are used mainly for filter activation.
The type is stored as part of the event itself, so you canalso use the type to search for it in Kibana.
If you try to set a type on an event that already has one (forexample when you send an event from a shipper to an indexer) thena new input will not override the existing type. A type set atthe shipper stays with that event for its life evenwhen sent to another Logstash server.
The Beats shipper automatically sets the type
field on the event.You cannot override this setting in the Logstash config. If you specifya setting for the type
config option inLogstash, it is ignored.