################### Filebeat Configuration Example #########################

1. ################### Filebeat Configuration Example #########################
2.  
3. ############################# Filebeat ######################################
4. filebeat:
5. # List of prospectors to fetch data.
6. prospectors:
7. # Each - is a prospector. Below are the prospector specific configurations
8. -
9. # Paths that should be crawled and fetched. Glob based paths.
10. # To fetch all ".log" files from a specific level of subdirectories
11. # /var/log/*/*.log can be used.
12. # For each file found under this path, a harvester is started.
13. # Make sure not file is defined twice as this can lead to unexpected behaviour.
14. paths:
15. - C:\inetpub\logs\LogFiles\W3SVC18\*
16. #- c:\programdata\elasticsearch\logs\*
17.  
18. # Configure the file encoding for reading files with international characters
19. # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
20. # Some sample encodings:
21. # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
22. # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
23. #encoding: plain
24.  
25. # Type of the files. Based on this the way the file is read is decided.
26. # The different types cannot be mixed in one prospector
27. #
28. # Possible options are:
29. # * log: Reads every line of the log file (default)
30. # * stdin: Reads the standard in
31. input_type: log
32.  
33. # Exclude lines. A list of regular expressions to match. It drops the lines that are
34. # matching any regular expression from the list. The include_lines is called before
35. # exclude_lines. By default, no lines are dropped.
36. exclude_lines: ["^#"]
37.  
38. # Include lines. A list of regular expressions to match. It exports the lines that are
39. # matching any regular expression from the list. The include_lines is called before
40. # exclude_lines. By default, all the lines are exported.
41. # include_lines: ["^ERR", "^WARN"]
42.  
43. # Exclude files. A list of regular expressions to match. Filebeat drops the files that
44. # are matching any regular expression from the list. By default, no files are dropped.
45. # exclude_files: [".gz$"]
46.  
47. # Optional additional fields. These field can be freely picked
48. # to add additional information to the crawled log files for filtering
49. #fields:
50. # level: debug
51. # review: 1
52.  
53. # Set to true to store the additional fields as top level fields instead
54. # of under the "fields" sub-dictionary. In case of name conflicts with the
55. # fields added by Filebeat itself, the custom fields overwrite the default
56. # fields.
57. #fields_under_root: false
58.  
59. # Ignore files which were modified more then the defined timespan in the past.
60. # In case all files on your system must be read you can set this value very large.
61. # Time strings like 2h (2 hours), 5m (5 minutes) can be used.
62. ignore_older: 480h
63.  
64. # Close older closes the file handler for which were not modified
65. # for longer then close_older
66. # Time strings like 2h (2 hours), 5m (5 minutes) can be used.
67. #close_older: 1h
68.  
69. # Type to be published in the 'type' field. For Elasticsearch output,
70. # the type defines the document type these entries should be stored
71. # in. Default: log
72. document_type: winlog
73.  
74. # Scan frequency in seconds.
75. # How often these files should be checked for changes. In case it is set
76. # to 0s, it is done as often as possible. Default: 10s
77. #scan_frequency: 10s
78.  
79. # Defines the buffer size every harvester uses when fetching the file
80. #harvester_buffer_size: 16384
81.  
82. # Maximum number of bytes a single log event can have
83. # All bytes after max_bytes are discarded and not sent. The default is 10MB.
84. # This is especially useful for multiline log messages which can get large.
85. #max_bytes: 10485760
86.  
87. # Mutiline can be used for log messages spanning multiple lines. This is common
88. # for Java Stack Traces or C-Line Continuation
89. #multiline:
90.  
91. # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
92. #pattern: ^\[
93.  
94. # Defines if the pattern set under pattern should be negated or not. Default is false.
95. #negate: false
96.  
97. # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
98. # that was (not) matched before or after or as long as a pattern is not matched based on negate.
99. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
100. #match: after
101.  
102. # The maximum number of lines that are combined to one event.
103. # In case there are more the max_lines the additional lines are discarded.
104. # Default is 500
105. #max_lines: 500
106.  
107. # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event
108. # Default is 5s.
109. #timeout: 5s
110.  
111. # Setting tail_files to true means filebeat starts readding new files at the end
112. # instead of the beginning. If this is used in combination with log rotation
113. # this can mean that the first entries of a new file are skipped.
114. tail_files: false
115.  
116. # Backoff values define how agressively filebeat crawls new files for updates
117. # The default values can be used in most cases. Backoff defines how long it is waited
118. # to check a file again after EOF is reached. Default is 1s which means the file
119. # is checked every second if new lines were added. This leads to a near real time crawling.
120. # Every time a new line appears, backoff is reset to the initial value.
121. #backoff: 1s
122.  
123. # Max backoff defines what the maximum backoff time is. After having backed off multiple times
124. # from checking the files, the waiting time will never exceed max_backoff idenependent of the
125. # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log
126. # file after having backed off multiple times, it takes a maximum of 10s to read the new line
127. #max_backoff: 10s
128.  
129. # The backoff factor defines how fast the algorithm backs off. The bigger the backoff factor,
130. # the faster the max_backoff value is reached. If this value is set to 1, no backoff will happen.
131. # The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached
132. #backoff_factor: 2
133.  
134. # This option closes a file, as soon as the file name changes.
135. # This config option is recommended on windows only. Filebeat keeps the files it's reading open. This can cause
136. # issues when the file is removed, as the file will not be fully removed until also Filebeat closes
137. # the reading. Filebeat closes the file handler after ignore_older. During this time no new file with the
138. # same name can be created. Turning this feature on the other hand can lead to loss of data
139. # on rotate files. It can happen that after file rotation the beginning of the new
140. # file is skipped, as the reading starts at the end. We recommend to leave this option on false
141. # but lower the ignore_older value to release files faster.
142. #force_close_files: false
143.  
144. # Additional prospector
145. #-
146. # Configuration to use stdin input
147. #input_type: stdin
148.  
149. # General filebeat configuration options
150. #
151. # Event count spool threshold - forces network flush if exceeded
152. #spool_size: 2048
153.  
154. # Enable async publisher pipeline in filebeat (Experimental!)
155. #publish_async: false
156.  
157. # Defines how often the spooler is flushed. After idle_timeout the spooler is
158. # Flush even though spool_size is not reached.
159. #idle_timeout: 5s
160.  
161. # Name of the registry file. Per default it is put in the current working
162. # directory. In case the working directory is changed after when running
163. # filebeat again, indexing starts from the beginning again.
164. registry_file: "C:/ProgramData/filebeat/registry"
165.  
166. # Full Path to directory with additional prospector configuration files. Each file must end with .yml
167. # These config files must have the full filebeat config part inside, but only
168. # the prospector part is processed. All global options like spool_size are ignored.
169. # The config_dir MUST point to a different directory then where the main filebeat config file is in.
170. #config_dir:
171.  
172. ###############################################################################
173. ############################# Libbeat Config ##################################
174. # Base config file used by all other beats for using libbeat features
175.  
176. ############################# Output ##########################################
177.  
178. # Configure what outputs to use when sending the data collected by the beat.
179. # Multiple outputs may be used.
180. output:
181.  
182. ### Elasticsearch as output
183. #elasticsearch:
184. # Array of hosts to connect to.
185. # Scheme and port can be left out and will be set to the default (http and 9200)
186. # In case you specify and additional path, the scheme is required: http://localhost:9200/path
187. # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
188. #hosts: ["localhost:9200"]
189.  
190. # Optional protocol and basic auth credentials.
191. #protocol: "https"
192. #username: "admin"
193. #password: "s3cr3t"
194.  
195. # Number of workers per Elasticsearch host.
196. #worker: 1
197.  
198. # Optional index name. The default is "filebeat" and generates
199. # [filebeat-]YYYY.MM.DD keys.
200. #index: "filebeat"
201.  
202. # A template is used to set the mapping in Elasticsearch
203. # By default template loading is disabled and no template is loaded.
204. # These settings can be adjusted to load your own template or overwrite existing ones
205. #template:
206.  
207. # Template name. By default the template name is filebeat.
208. #name: "filebeat"
209.  
210. # Path to template file
211. #path: "filebeat.template.json"
212.  
213. # Overwrite existing template
214. #overwrite: false
215.  
216. # Optional HTTP Path
217. #path: "/elasticsearch"
218.  
219. # Proxy server url
220. #proxy_url: http://proxy:3128
221.  
222. # The number of times a particular Elasticsearch index operation is attempted. If
223. # the indexing operation doesn't succeed after this many retries, the events are
224. # dropped. The default is 3.
225. #max_retries: 3
226.  
227. # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
228. # The default is 50.
229. #bulk_max_size: 50
230.  
231. # Configure http request timeout before failing an request to Elasticsearch.
232. #timeout: 90
233.  
234. # The number of seconds to wait for new events between two bulk API index requests.
235. # If `bulk_max_size` is reached before this interval expires, addition bulk index
236. # requests are made.
237. #flush_interval: 1
238.  
239. # Boolean that sets if the topology is kept in Elasticsearch. The default is
240. # false. This option makes sense only for Packetbeat.
241. #save_topology: false
242.  
243. # The time to live in seconds for the topology information that is stored in
244. # Elasticsearch. The default is 15 seconds.
245. #topology_expire: 15
246.  
247. # tls configuration. By default is off.
248. #tls:
249. # List of root certificates for HTTPS server verifications
250. #certificate_authorities: ["/etc/pki/root/ca.pem"]
251.  
252. # Certificate for TLS client authentication
253. #certificate: "/etc/pki/client/cert.pem"
254.  
255. # Client Certificate Key
256. #certificate_key: "/etc/pki/client/cert.key"
257.  
258. # Controls whether the client verifies server certificates and host name.
259. # If insecure is set to true, all server host names and certificates will be
260. # accepted. In this mode TLS based connections are susceptible to
261. # man-in-the-middle attacks. Use only for testing.
262. #insecure: true
263.  
264. # Configure cipher suites to be used for TLS connections
265. #cipher_suites: []
266.  
267. # Configure curve types for ECDHE based cipher suites
268. #curve_types: []
269.  
270. # Configure minimum TLS version allowed for connection to logstash
271. #min_version: 1.0
272.  
273. # Configure maximum TLS version allowed for connection to logstash
274. #max_version: 1.2
275.  
276.  
277. ### Logstash as output
278. logstash:
279. # The Logstash hosts
280. hosts: ["10.6.38.220:5001"]
281.  
282. # Number of workers per Logstash host.
283. worker: 2
284.  
285. # Set gzip compression level.
286. #compression_level: 3
287.  
288. # Optional load balance the events between the Logstash hosts
289. #loadbalance: true
290.  
291. # Optional index name. The default index name depends on the each beat.
292. # For Packetbeat, the default is set to packetbeat, for Topbeat
293. # top topbeat and for Filebeat to filebeat.
294. #index: filebeat
295.  
296. # Optional TLS. By default is off.
297. #tls:
298. # List of root certificates for HTTPS server verifications
299. #certificate_authorities: ["/etc/pki/root/ca.pem"]
300.  
301. # Certificate for TLS client authentication
302. #certificate: "/etc/pki/client/cert.pem"
303.  
304. # Client Certificate Key
305. #certificate_key: "/etc/pki/client/cert.key"
306.  
307. # Controls whether the client verifies server certificates and host name.
308. # If insecure is set to true, all server host names and certificates will be
309. # accepted. In this mode TLS based connections are susceptible to
310. # man-in-the-middle attacks. Use only for testing.
311. #insecure: true
312.  
313. # Configure cipher suites to be used for TLS connections
314. #cipher_suites: []
315.  
316. # Configure curve types for ECDHE based cipher suites
317. #curve_types: []
318.  
319.  
320. ### File as output
321. #file:
322. # Path to the directory where to save the generated files. The option is mandatory.
323. #path: "/tmp/filebeat"
324.  
325. # Name of the generated files. The default is `filebeat` and it generates files: `filebeat`, `filebeat.1`, `filebeat.2`, etc.
326. #filename: filebeat
327.  
328. # Maximum size in kilobytes of each file. When this size is reached, the files are
329. # rotated. The default value is 10 MB.
330. #rotate_every_kb: 10000
331.  
332. # Maximum number of files under path. When this number of files is reached, the
333. # oldest file is deleted and the rest are shifted from last to first. The default
334. # is 7 files.
335. #number_of_files: 7
336.  
337.  
338. ### Console output
339. # console:
340. # Pretty print json event
341. #pretty: false
342.  
343.  
344. ############################# Shipper #########################################
345.  
346. shipper:
347. # The name of the shipper that publishes the network data. It can be used to group
348. # all the transactions sent by a single shipper in the web interface.
349. # If this options is not defined, the hostname is used.
350. #name:
351.  
352. # The tags of the shipper are included in their own field with each
353. # transaction published. Tags make it easy to group servers by different
354. # logical properties.
355. #tags: ["service-X", "web-tier"]
356.  
357. # Uncomment the following if you want to ignore transactions created
358. # by the server on which the shipper is installed. This option is useful
359. # to remove duplicates if shippers are installed on multiple servers.
360. #ignore_outgoing: true
361.  
362. # How often (in seconds) shippers are publishing their IPs to the topology map.
363. # The default is 10 seconds.
364. #refresh_topology_freq: 10
365.  
366. # Expiration time (in seconds) of the IPs published by a shipper to the topology map.
367. # All the IPs will be deleted afterwards. Note, that the value must be higher than
368. # refresh_topology_freq. The default is 15 seconds.
369. #topology_expire: 15
370.  
371. # Internal queue size for single events in processing pipeline
372. #queue_size: 1000
373.  
374. # Configure local GeoIP database support.
375. # If no paths are not configured geoip is disabled.
376. #geoip:
377. #paths:
378. # - "/usr/share/GeoIP/GeoLiteCity.dat"
379. # - "/usr/local/var/GeoIP/GeoLiteCity.dat"
380.  
381.  
382. ############################# Logging #########################################
383.  
384. # There are three options for the log ouput: syslog, file, stderr.
385. # Under Windos systems, the log files are per default sent to the file output,
386. # under all other system per default to syslog.
387. logging:
388.  
389. # Send all logging output to syslog. On Windows default is false, otherwise
390. # default is true.
391. #to_syslog: true
392.  
393. # Write all logging output to files. Beats automatically rotate files if rotateeverybytes
394. # limit is reached.
395. to_files: true
396.  
397. # To enable logging to files, to_files option has to be set to true
398. files:
399. # The directory where the log files will written to.
400. path: C:\Users\Administrator\Desktop\filebeatlogs
401.  
402. # The name of the files where the logs are written to.
403. #name: mybeat
404.  
405. # Configure log file size limit. If limit is reached, log file will be
406. # automatically rotated
407. rotateeverybytes: 10485760 # = 10MB
408.  
409. # Number of rotated log files to keep. Oldest files will be deleted first.
410. keepfiles: 7
411.  
412. # Enable debug output for selected components. To enable all selectors use ["*"]
413. # Other available selectors are beat, publish, service
414. # Multiple selectors can be chained.
415. #selectors: [ ]
416.  
417. # Sets log level. The default log level is error.
418. # Available log levels are: critical, error, warning, info, debug
419. #level: error