· 5 years ago · Oct 28, 2020, 12:44 AM
1name: so-main
2
3#================================ Logging ======================================
4# There are four options for the log output: file, stderr, syslog, eventlog
5# The file output is the default.
6
7# Sets log level. The default log level is info.
8# Available log levels are: error, warning, info, debug
9logging.level: warning
10
11# Enable debug output for selected components. To enable all selectors use ["*"]
12# Other available selectors are "beat", "publish", "service"
13# Multiple selectors can be chained.
14#logging.selectors: [ ]
15
16# Send all logging output to syslog. The default is false.
17#logging.to_syslog: false
18
19# Send all logging output to Windows Event Logs. The default is false.
20#logging.to_eventlog: false
21
22# If enabled, filebeat periodically logs its internal metrics that have changed
23# in the last period. For each metric that changed, the delta from the value at
24# the beginning of the period is logged. Also, the total values for
25# all non-zero internal metrics are logged on shutdown. The default is true.
26#logging.metrics.enabled: true
27
28# The period after which to log the internal metrics. The default is 30s.
29#logging.metrics.period: 30s
30
31# Logging to rotating files. Set logging.to_files to false to disable logging to
32# files.
33logging.to_files: true
34logging.files:
35 # Configure the path where the logs are written. The default is the logs directory
36 # under the home path (the binary location).
37 path: /usr/share/filebeat/logs
38
39 # The name of the files where the logs are written to.
40 name: filebeat.log
41
42 # Configure log file size limit. If limit is reached, log file will be
43 # automatically rotated
44 rotateeverybytes: 10485760 # = 10MB
45
46 # Number of rotated log files to keep. Oldest files will be deleted first.
47 keepfiles: 7
48
49 # The permissions mask to apply when rotating log files. The default value is 0600.
50 # Must be a valid Unix-style file permissions mask expressed in octal notation.
51 #permissions: 0600
52
53# Set to true to log messages in json format.
54#logging.json: false
55
56#========================== Modules configuration ============================
57filebeat.modules:
58#=========================== Filebeat prospectors =============================
59
60# List of prospectors to fetch data.
61filebeat.inputs:
62#------------------------------ Log prospector --------------------------------
63- type: udp
64 enabled: true
65 host: "0.0.0.0:514"
66 fields:
67 module: syslog
68 dataset: syslog
69 pipeline: "syslog"
70 index: "so-syslog"
71 processors:
72 - drop_fields:
73 fields: ["source", "prospector", "input", "offset", "beat"]
74 fields_under_root: true
75
76- type: tcp
77 enabled: true
78 host: "0.0.0.0:514"
79 fields:
80 module: syslog
81 dataset: syslog
82 pipeline: "syslog"
83 index: "so-syslog"
84 processors:
85 - drop_fields:
86 fields: ["source", "prospector", "input", "offset", "beat"]
87 fields_under_root: true
88
89 - type: log
90 paths:
91 - /wazuh/archives/archives.json
92 fields:
93 module: ossec
94 category: host
95 processors:
96 - drop_fields:
97 fields: ["source", "prospector", "input", "offset", "beat"]
98 pipeline: "ossec"
99 fields_under_root: true
100 clean_removed: false
101 close_removed: false
102
103- type: log
104 paths:
105 - /nsm/osquery/fleet/result.log
106 fields:
107 module: osquery
108 dataset: query_result
109 category: host
110
111 processors:
112 - drop_fields:
113 fields: ["source", "prospector", "input", "offset", "beat"]
114
115 fields_under_root: true
116 clean_removed: false
117 close_removed: false
118
119
120#----------------------------- Elasticsearch/Logstash output ---------------------------------
121
122output.logstash:
123 # Boolean flag to enable or disable the output module.
124 enabled: true
125
126 # The Logstash hosts
127 hosts: ["so-main:5644"]
128
129 # Number of workers per Logstash host.
130 #worker: 1
131
132 # Set gzip compression level.
133 #compression_level: 3
134
135 # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
136 #ssl.enabled: true
137
138 # Configure SSL verification mode. If `none` is configured, all server hosts
139 # and certificates will be accepted. In this mode, SSL based connections are
140 # susceptible to man-in-the-middle attacks. Use only for testing. Default is
141 # `full`.
142 ssl.verification_mode: full
143
144 # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
145 # 1.2 are enabled.
146 ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
147
148 # Optional SSL configuration options. SSL is off by default.
149 # List of root certificates for HTTPS server verifications
150 ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"]
151
152 # Certificate for SSL client authentication
153 ssl.certificate: "/usr/share/filebeat/filebeat.crt"
154
155 # Client Certificate Key
156 ssl.key: "/usr/share/filebeat/filebeat.key"
157
158setup.template.enabled: false
159 # A dictionary of settings to place into the settings.index dictionary
160 # of the Elasticsearch template. For more details, please check
161 # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html
162 #index:
163 #number_of_shards: 1
164 #codec: best_compression
165 #number_of_routing_shards: 30
166
167 # A dictionary of settings for the _source field. For more details, please check
168 # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html
169 #_source:
170 #enabled: false
171
172#============================== Kibana =====================================
173
174# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
175# This requires a Kibana endpoint configuration.
176
177#setup.kibana:
178
179 # Kibana Host
180 # Scheme and port can be left out and will be set to the default (http and 5601)
181 # In case you specify and additional path, the scheme is required: http://localhost:5601/path
182 # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
183 #host: "localhost:5601"
184
185 # Optional protocol and basic auth credentials.
186 #protocol: "https"
187 #username: "elastic"
188 #password: "changeme"
189
190 # Optional HTTP Path
191 #path: ""
192
193 # Use SSL settings for HTTPS. Default is true.
194 #ssl.enabled: true
195
196 # Configure SSL verification mode. If `none` is configured, all server hosts
197 # and certificates will be accepted. In this mode, SSL based connections are
198 # susceptible to man-in-the-middle attacks. Use only for testing. Default is
199 # `full`.
200 #ssl.verification_mode: full
201
202 # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
203 # 1.2 are enabled.
204 #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
205
206 # SSL configuration. By default is off.
207 # List of root certificates for HTTPS server verifications
208 #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
209
210 # Certificate for SSL client authentication
211 #ssl.certificate: "/etc/pki/client/cert.pem"
212
213 # Client Certificate Key
214 #ssl.key: "/etc/pki/client/cert.key"
215
216 # Optional passphrase for decrypting the Certificate Key.
217 #ssl.key_passphrase: ''
218
219 # Configure cipher suites to be used for SSL connections
220
221 # Configure curve types for ECDHE based cipher suites
222 #ssl.curve_types: []
223
224
225
226
227
228#============================== Xpack Monitoring =====================================
229# filebeat can export internal metrics to a central Elasticsearch monitoring cluster.
230# This requires xpack monitoring to be enabled in Elasticsearch.
231# The reporting is disabled by default.
232
233# Set to true to enable the monitoring reporter.
234#xpack.monitoring.enabled: false
235
236# Uncomment to send the metrics to Elasticsearch. Most settings from the
237# Elasticsearch output are accepted here as well. Any setting that is not set is
238# automatically inherited from the Elasticsearch output configuration, so if you
239# have the Elasticsearch output configured, you can simply uncomment the
240# following line, and leave the rest commented out.
241#xpack.monitoring.elasticsearch:
242
243 # Array of hosts to connect to.
244 # Scheme and port can be left out and will be set to the default (http and 9200)
245 # In case you specify and additional path, the scheme is required: http://localhost:9200/path
246 # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
247 #hosts: ["localhost:9200"]
248
249 # Set gzip compression level.
250 #compression_level: 0
251
252 # Optional protocol and basic auth credentials.
253 #protocol: "https"
254 #username: "beats_system"
255 #password: "changeme"
256
257 # Dictionary of HTTP parameters to pass within the url with index operations.
258 #parameters:
259 #param1: value1
260 #param2: value2
261
262 # Custom HTTP headers to add to each request
263 #headers:
264 # X-My-Header: Contents of the header
265
266
267 # Proxy server url
268 #proxy_url: http://proxy:3128
269
270 # The number of times a particular Elasticsearch index operation is attempted. If
271 # the indexing operation doesn't succeed after this many retries, the events are
272 # dropped. The default is 3.
273 #max_retries: 3
274
275 # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
276 # The default is 50.
277 #bulk_max_size: 50
278
279 # Configure http request timeout before failing an request to Elasticsearch.
280 #timeout: 90
281
282 # Use SSL settings for HTTPS.
283 #ssl.enabled: true
284
285 # Configure SSL verification mode. If `none` is configured, all server hosts
286 # and certificates will be accepted. In this mode, SSL based connections are
287 # susceptible to man-in-the-middle attacks. Use only for testing. Default is
288 # `full`.
289 #ssl.verification_mode: full
290
291 # List of supported/valid TLS versions. By default all TLS versions 1.0 up to
292 # 1.2 are enabled.
293 #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
294
295 # SSL configuration. By default is off.
296 # List of root certificates for HTTPS server verifications
297 #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
298
299 # Certificate for SSL client authentication
300 #ssl.certificate: "/etc/pki/client/cert.pem"
301
302 # Client Certificate Key
303 #ssl.key: "/etc/pki/client/cert.key"
304
305 # Optional passphrase for decrypting the Certificate Key.
306 #ssl.key_passphrase: ''
307
308 # Configure cipher suites to be used for SSL connections
309 #ssl.cipher_suites: []
310
311
312 # Configure curve types for ECDHE based cipher suites
313 #ssl.curve_types: []
314
315 # Configure what types of renegotiation are supported. Valid options are
316 # never, once, and freely. Default is never.
317 #ssl.renegotiation: never
318
319#================================ HTTP Endpoint ======================================
320# Each beat can expose internal metrics through a HTTP endpoint. For security
321# reasons the endpoint is disabled by default. This feature is currently experimental.
322# Stats can be access through http://localhost:5066/stats . For pretty JSON output
323# append ?pretty to the URL.
324
325# Defines if the HTTP endpoint is enabled.
326#http.enabled: false
327
328# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost.
329#http.host: localhost
330
331# Port on which the HTTP endpoint will bind. Default is 5066.
332