· 6 years ago · Nov 22, 2019, 03:08 PM
1###################### Filebeat Configuration Example #########################
2
3# This file is an example configuration file highlighting only the most common
4# options. The filebeat.reference.yml file from the same directory contains all the
5# supported options with more comments. You can use it as a reference.
6#
7# You can find the full configuration reference here:
8# https://www.elastic.co/guide/en/beats/filebeat/index.html
9
10# For more available modules and options, please see the filebeat.reference.yml sample
11# configuration file.
12
13#=========================== Filebeat inputs =============================
14
15filebeat.inputs:
16- type: log
17 paths:
18 - /var/log/Testpcap/packets.json
19 document_type: "pcap_file"
20 json.keys_under_root: true
21 json.add_error_key: true
22
23
24
25
26
27# Each - is an input. Most options can be set at the input level, so
28# you can use different inputs for various configurations.
29# Below are the input specific configurations.
30
31#- type: log
32
33 # Change to true to enable this input configuration.
34 enabled: true
35
36 # Paths that should be crawled and fetched. Glob based paths.
37 paths:
38 - /var/log/Testpcap/packet.json
39 #- c:\programdata\elasticsearch\logs\*
40
41 # Exclude lines. A list of regular expressions to match. It drops the lines that are
42 # matching any regular expression from the list.
43 #exclude_lines: ['^DBG']
44
45 # Include lines. A list of regular expressions to match. It exports the lines that are
46 # matching any regular expression from the list.
47 #include_lines: ['^ERR', '^WARN']
48
49 # Exclude files. A list of regular expressions to match. Filebeat drops the files that
50 # are matching any regular expression from the list. By default, no files are dropped.
51 #exclude_files: ['.gz$']
52
53 # Optional additional fields. These fields can be freely picked
54 # to add additional information to the crawled log files for filtering
55 #fields:
56 # level: debug
57 # review: 1
58
59 ### Multiline options
60
61 # Multiline can be used for log messages spanning multiple lines. This is common
62 # for Java Stack Traces or C-Line Continuation
63
64 # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
65 #multiline.pattern: ^\[
66
67 # Defines if the pattern set under pattern should be negated or not. Default is false.
68 #multiline.negate: false
69
70 # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
71 # that was (not) matched before or after or as long as a pattern is not matched based on negate.
72 # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
73 #multiline.match: after
74
75
76#============================= Filebeat modules ===============================
77
78#filebeat.config.modules:
79 # Glob pattern for configuration loading
80# path: ${path.config}/modules.d/*.yml
81
82 # Set to true to enable config reloading
83# reload.enabled: false
84
85 # Period on which files under path should be checked for changes
86 #reload.period: 10s
87
88#==================== Elasticsearch template setting ==========================
89
90#setup.template.settings:
91 #index.number_of_shards: 1
92 #index.codec: best_compression
93 #_source.enabled: false
94#setup.template:
95 #name: filebeat
96 #path: filebeat.template.json
97 #fields: /filebeat-7.4.2-linux-x86_64/fields.yml
98 #pattern: 'packets-*'
99 #enabled: true
100 #overwrite: true
101
102setup.template.name: 'filebeat2'
103setup.template.pattern: 'filebeat2-*'
104setup.template.enabled: true
105
106
107
108
109
110#================================ General =====================================
111
112# The name of the shipper that publishes the network data. It can be used to group
113# all the transactions sent by a single shipper in the web interface.
114#name:
115
116# The tags of the shipper are included in their own field with each
117# transaction published.
118#tags: ["service-X", "web-tier"]
119
120# Optional fields that you can specify to add additional information to the
121# output.
122#fields:
123# env: staging
124
125
126#============================== Dashboards =====================================
127# These settings control loading the sample dashboards to the Kibana index. Loading
128# the dashboards is disabled by default and can be enabled either by setting the
129# options here or by using the `setup` command.
130#setup.dashboards.enabled: false
131
132# The URL from where to download the dashboards archive. By default this URL
133# has a value which is computed based on the Beat name and version. For released
134# versions, this URL points to the dashboard archive on the artifacts.elastic.co
135# website.
136#setup.dashboards.url:
137
138#============================== Kibana =====================================
139
140# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
141# This requires a Kibana endpoint configuration.
142setup.kibana:
143 host: "localhost:5601"
144 #username: "admin"
145 #password: "admin123"
146
147 # Kibana Host
148 # Scheme and port can be left out and will be set to the default (http and 5601)
149 # In case you specify and additional path, the scheme is required: http://localhost:5601/path
150 # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
151 #host: "localhost:5601"
152
153 # Kibana Space ID
154 # ID of the Kibana Space into which the dashboards should be loaded. By default,
155 # the Default Space will be used.
156 #space.id:
157
158#============================= Elastic Cloud ==================================
159
160# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).
161
162# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
163# `setup.kibana.host` options.
164# You can find the `cloud.id` in the Elastic Cloud web UI.
165#cloud.id:
166
167# The cloud.auth setting overwrites the `output.elasticsearch.username` and
168# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
169#cloud.auth: "elastic:admin123
170
171#================================ Outputs =====================================
172
173# Configure what output to use when sending the data collected by the beat.
174
175#-------------------------- Elasticsearch output ------------------------------
176#output.elasticsearch:
177 #hosts: ["localhost:9200"]
178 #username: "admin"
179 #password: "admin123"
180 # Optional protocol and basic auth credentials.
181 #protocol: "https"
182output.elasticsearch:
183 hosts: ["localhost:9200"]
184 index: "filebeat2-%{+yyyy.MM.dd}"
185
186
187
188
189
190
191
192
193#----------------------------- Logstash output --------------------------------
194#output.logstash:
195 # The Logstash hosts
196 #hosts: ["localhost:5044"]
197
198 # Optional SSL. By default is off.
199 # List of root certificates for HTTPS server verifications
200 #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
201
202 # Certificate for SSL client authentication
203 #ssl.certificate: "/etc/pki/client/cert.pem"
204
205 # Client Certificate Key
206 #ssl.key: "/etc/pki/client/cert.key"
207
208#================================ Processors =====================================
209
210# Configure processors to enhance or manipulate events generated by the beat.
211
212#processors:
213# - add_host_metadata: ~
214# - add_cloud_metadata: ~
215
216
217processors:
218 - drop_event:
219 when:
220 equals:
221 index._type: "pcap_file"
222
223
224#================================ Logging =====================================
225
226# Sets log level. The default log level is info.
227# Available log levels are: error, warning, info, debug
228#logging.level: debug
229
230# At debug level, you can selectively enable logging only for some components.
231# To enable all selectors use ["*"]. Examples of other selectors are "beat",
232# "publish", "service".
233#logging.selectors: ["*"]
234logging.level: info
235logging.to_files: true
236logging.files:
237 path: /var/log/filebeat
238 name: filebeat
239 keepfiles: 100
240 permissions: 0644
241
242#============================== X-Pack Monitoring ===============================
243# filebeat can export internal metrics to a central Elasticsearch monitoring
244# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
245# reporting is disabled by default.
246
247# Set to true to enable the monitoring reporter.
248#monitoring.enabled: false
249
250# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
251# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
252# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
253#monitoring.cluster_uuid:
254
255# Uncomment to send the metrics to Elasticsearch. Most settings from the
256# Elasticsearch output are accepted here as well.
257# Note that the settings should point to your Elasticsearch *monitoring* cluster.
258# Any setting that is not set is automatically inherited from the Elasticsearch
259# output configuration, so if you have the Elasticsearch output configured such
260# that it is pointing to your Elasticsearch monitoring cluster, you can simply
261# uncomment the following line.
262#monitoring.elasticsearch:
263
264#================================= Migration ==================================
265
266# This allows to enable 6.7 migration aliases
267#migration.6_to_7.enabled: true