################### Filebeat Configuration Example #########################

1. ################### Filebeat Configuration Example #########################
2.  
3. ############################# Filebeat ######################################
4. filebeat:
5. # List of prospectors to fetch data.
6. prospectors:
7. # Each - is a prospector. Below are the prospector specific configurations
8. -
9. # Paths that should be crawled and fetched. Glob based paths.
10. # To fetch all ".log" files from a specific level of subdirectories
11. # /var/log/*/*.log can be used.
12. # For each file found under this path, a harvester is started.
13. # Make sure not file is defined twice as this can lead to unexpected behaviour.
14. paths:/var/log/syslog
15. #- /var/log/*.log
16. #- c:\programdata\elasticsearch\logs\*
17.  
18. # Configure the file encoding for reading files with international characters
19. # following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
20. # Some sample encodings:
21. # plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
22. # hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
23. #encoding: plain
24.  
25. # Type of the files. Based on this the way the file is read is decided.
26. # The different types cannot be mixed in one prospector
27. #
28. # Possible options are:
29. # * log: Reads every line of the log file (default)
30. # * stdin: Reads the standard in
31. input_type: log
32.  
33. # Exclude lines. A list of regular expressions to match. It drops the lines that are
34. # matching any regular expression from the list. The include_lines is called before
35. # exclude_lines. By default, no lines are dropped.
36. # exclude_lines: ["^DBG"]
37.  
38. # Include lines. A list of regular expressions to match. It exports the lines that are
39. # matching any regular expression from the list. The include_lines is called before
40. # exclude_lines. By default, all the lines are exported.
41. # include_lines: ["^ERR", "^WARN"]
42.  
43. # Exclude files. A list of regular expressions to match. Filebeat drops the files that
44. # are matching any regular expression from the list. By default, no files are dropped.
45. # exclude_files: [".gz$"]
46.  
47. # Optional additional fields. These field can be freely picked
48. # to add additional information to the crawled log files for filtering
49. #fields:
50. # level: debug
51. # review: 1
52.  
53. # Set to true to store the additional fields as top level fields instead
54. # of under the "fields" sub-dictionary. In case of name conflicts with the
55. # fields added by Filebeat itself, the custom fields overwrite the default
56. # fields.
57. #fields_under_root: false
58.  
59. # Ignore files which were modified more then the defined timespan in the past.
60. # In case all files on your system must be read you can set this value very large.
61. # Time strings like 2h (2 hours), 5m (5 minutes) can be used.
62. #ignore_older: 0
63.  
64. # Close older closes the file handler for which were not modified
65. # for longer then close_older
66. # Time strings like 2h (2 hours), 5m (5 minutes) can be used.
67. #close_older: 1h
68.  
69. # Type to be published in the 'type' field. For Elasticsearch output,
70. # the type defines the document type these entries should be stored
71. # in. Default: log
72. document_type: syslog
73.  
74. # Scan frequency in seconds.
75. # How often these files should be checked for changes. In case it is set
76. # to 0s, it is done as often as possible. Default: 10s
77. #scan_frequency: 10s
78.  
79. # Defines the buffer size every harvester uses when fetching the file
80. #harvester_buffer_size: 16384
81.  
82. # Maximum number of bytes a single log event can have
83. # All bytes after max_bytes are discarded and not sent. The default is 10MB.
84. # This is especially useful for multiline log messages which can get large.
85. #max_bytes: 10485760
86.  
87. # Mutiline can be used for log messages spanning multiple lines. This is common
88. # for Java Stack Traces or C-Line Continuation
89. #multiline:
90.  
91. # The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
92. #pattern: ^\[
93.  
94. # Defines if the pattern set under pattern should be negated or not. Default is false.
95. #negate: false
96.  
97. # Match can be set to "after" or "before". It is used to define if lines should be append to a pattern
98. # that was (not) matched before or after or as long as a pattern is not matched based on negate.
99. # Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
100. #match: after
101.  
102. # The maximum number of lines that are combined to one event.
103. # In case there are more the max_lines the additional lines are discarded.
104. # Default is 500
105. #max_lines: 500
106.  
107. # After the defined timeout, an multiline event is sent even if no new pattern was found to start a new event
108. # Default is 5s.
109. #timeout: 5s
110.  
111. # Setting tail_files to true means filebeat starts readding new files at the end
112. # instead of the beginning. If this is used in combination with log rotation
113. # this can mean that the first entries of a new file are skipped.
114. #tail_files: false
115.  
116. # Backoff values define how agressively filebeat crawls new files for updates
117. # The default values can be used in most cases. Backoff defines how long it is waited
118. # to check a file again after EOF is reached. Default is 1s which means the file
119. # is checked every second if new lines were added. This leads to a near real time crawling.
120. # Every time a new line appears, backoff is reset to the initial value.
121. #backoff: 1s
122.  
123. # Max backoff defines what the maximum backoff time is. After having backed off multiple times
124. # from checking the files, the waiting time will never exceed max_backoff idenependent of the
125. # backoff factor. Having it set to 10s means in the worst case a new line can be added to a log
126. # file after having backed off multiple times, it takes a maximum of 10s to read the new line
127. #max_backoff: 10s
128.  
129. # The backoff factor defines how fast the algorithm backs off. The bigger the backoff factor,
130. # the faster the max_backoff value is reached. If this value is set to 1, no backoff will happen.
131. # The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached
132. #backoff_factor: 2
133.  
134. # This option closes a file, as soon as the file name changes.
135. # This config option is recommended on windows only. Filebeat keeps the files it's reading open. This can cause
136. # issues when the file is removed, as the file will not be fully removed until also Filebeat closes
137. # the reading. Filebeat closes the file handler after ignore_older. During this time no new file with the
138. # same name can be created. Turning this feature on the other hand can lead to loss of data
139. # on rotate files. It can happen that after file rotation the beginning of the new
140. # file is skipped, as the reading starts at the end. We recommend to leave this option on false
141. # but lower the ignore_older value to release files faster.
142. #force_close_files: false
143.  
144. # Additional prospector
145. #-
146. # Configuration to use stdin input
147. #input_type: stdin
148.  
149. # General filebeat configuration options
150. #
151. # Event count spool threshold - forces network flush if exceeded
152. #spool_size: 2048
153.  
154. # Enable async publisher pipeline in filebeat (Experimental!)
155. #publish_async: false
156.  
157. # Defines how often the spooler is flushed. After idle_timeout the spooler is
158. # Flush even though spool_size is not reached.
159. #idle_timeout: 5s
160.  
161. # Name of the registry file. Per default it is put in the current working
162. # directory. In case the working directory is changed after when running
163. # filebeat again, indexing starts from the beginning again.
164. registry_file: /var/lib/filebeat/registry
165.  
166. # Full Path to directory with additional prospector configuration files. Each file must end with .yml
167. # These config files must have the full filebeat config part inside, but only
168. # the prospector part is processed. All global options like spool_size are ignored.
169. # The config_dir MUST point to a different directory then where the main filebeat config file is in.
170. #config_dir:
171.  
172. ###############################################################################
173. ############################# Libbeat Config ##################################
174. # Base config file used by all other beats for using libbeat features
175.  
176. ############################# Output ##########################################
177.  
178. # Configure what outputs to use when sending the data collected by the beat.
179. # Multiple outputs may be used.
180. output:
181.  
182. ### Elasticsearch as output
183. elasticsearch:
184. # Array of hosts to connect to.
185. # Scheme and port can be left out and will be set to the default (http and 9200)
186. # In case you specify and additional path, the scheme is required: http://localhost:9200/path
187. # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
188. hosts: ["172.16.254.217:9200"]
189.  
190. # Optional protocol and basic auth credentials.
191. #protocol: "https"
192. #username: "admin"
193. #password: "s3cr3t"
194.  
195. # Number of workers per Elasticsearch host.
196. #worker: 1
197.  
198. # Optional index name. The default is "filebeat" and generates
199. # [filebeat-]YYYY.MM.DD keys.
200. #index: "filebeat"
201.  
202. # A template is used to set the mapping in Elasticsearch
203. # By default template loading is disabled and no template is loaded.
204. # These settings can be adjusted to load your own template or overwrite existing ones
205. #template:
206.  
207. # Template name. By default the template name is filebeat.
208. #name: "filebeat"
209.  
210. # Path to template file
211. #path: "filebeat.template.json"
212.  
213. # Overwrite existing template
214. #overwrite: false
215.  
216. # Optional HTTP Path
217. #path: "/elasticsearch"
218.  
219. # Proxy server url
220. #proxy_url: http://proxy:3128
221.  
222. # The number of times a particular Elasticsearch index operation is attempted. If
223. # the indexing operation doesn't succeed after this many retries, the events are
224. # dropped. The default is 3.
225. #max_retries: 3
226.  
227. # The maximum number of events to bulk in a single Elasticsearch bulk API index request.
228. # The default is 50.
229. #bulk_max_size: 50
230.  
231. # Configure http request timeout before failing an request to Elasticsearch.
232. #timeout: 90
233.  
234. # The number of seconds to wait for new events between two bulk API index requests.
235. # If `bulk_max_size` is reached before this interval expires, addition bulk index
236. # requests are made.
237. #flush_interval: 1
238.  
239. # Boolean that sets if the topology is kept in Elasticsearch. The default is
240. # false. This option makes sense only for Packetbeat.
241. #save_topology: false
242.  
243. # The time to live in seconds for the topology information that is stored in
244. # Elasticsearch. The default is 15 seconds.
245. #topology_expire: 15
246.  
247. # tls configuration. By default is off.
248. #tls:
249. # List of root certificates for HTTPS server verifications
250. certificate_authorities: ["/etc/pki/tls/certs/filebeat.crt"]
251.  
252. # Certificate for TLS client authentication
253. #certificate: "/etc/pki/client/cert.pem"
254.  
255. # Client Certificate Key
256. #certificate_key: "/etc/pki/client/cert.key"
257.  
258. # Controls whether the client verifies server certificates and host name.
259. # If insecure is set to true, all server host names and certificates will be
260. # accepted. In this mode TLS based connections are susceptible to
261. # man-in-the-middle attacks. Use only for testing.
262. #insecure: true
263.  
264. # Configure cipher suites to be used for TLS connections
265. #cipher_suites: []
266.  
267. # Configure curve types for ECDHE based cipher suites
268. #curve_types: []
269.  
270. # Configure minimum TLS version allowed for connection to logstash
271. #min_version: 1.0
272.  
273. # Configure maximum TLS version allowed for connection to logstash
274. #max_version: 1.2
275.  
276.  
277. ### Logstash as output
278. #logstash:
279. # The Logstash hosts
280. #hosts: ["localhost:5044"]
281.  
282. # Number of workers per Logstash host.
283. #worker: 1
284.  
285. # The maximum number of events to bulk into a single batch window. The
286. # default is 2048.
287. #bulk_max_size: 2048
288.  
289. # Set gzip compression level.
290. #compression_level: 3
291.  
292. # Optional load balance the events between the Logstash hosts
293. #loadbalance: true
294.  
295. # Optional index name. The default index name depends on the each beat.
296. # For Packetbeat, the default is set to packetbeat, for Topbeat
297. # top topbeat and for Filebeat to filebeat.
298. #index: filebeat
299.  
300. # Optional TLS. By default is off.
301. #tls:
302. # List of root certificates for HTTPS server verifications
303. #certificate_authorities: ["/etc/pki/root/ca.pem"]
304.  
305. # Certificate for TLS client authentication
306. #certificate: "/etc/pki/client/cert.pem"
307.  
308. # Client Certificate Key
309. #certificate_key: "/etc/pki/client/cert.key"
310.  
311. # Controls whether the client verifies server certificates and host name.
312. # If insecure is set to true, all server host names and certificates will be
313. # accepted. In this mode TLS based connections are susceptible to
314. # man-in-the-middle attacks. Use only for testing.
315. #insecure: true
316.  
317. # Configure cipher suites to be used for TLS connections
318. #cipher_suites: []
319.  
320. # Configure curve types for ECDHE based cipher suites
321. #curve_types: []
322.  
323.  
324. ### File as output
325. #file:
326. # Path to the directory where to save the generated files. The option is mandatory.
327. #path: "/tmp/filebeat"
328.  
329. # Name of the generated files. The default is `filebeat` and it generates files: `filebeat`, `filebeat.1`, `filebeat.2`, etc.
330. #filename: filebeat
331.  
332. # Maximum size in kilobytes of each file. When this size is reached, the files are
333. # rotated. The default value is 10 MB.
334. #rotate_every_kb: 10000
335.  
336. # Maximum number of files under path. When this number of files is reached, the
337. # oldest file is deleted and the rest are shifted from last to first. The default
338. # is 7 files.
339. #number_of_files: 7
340.  
341.  
342. ### Console output
343. # console:
344. # Pretty print json event
345. #pretty: false
346.  
347.  
348. ############################# Shipper #########################################
349.  
350. shipper:
351. # The name of the shipper that publishes the network data. It can be used to group
352. # all the transactions sent by a single shipper in the web interface.
353. # If this options is not defined, the hostname is used.
354. #name:
355.  
356. # The tags of the shipper are included in their own field with each
357. # transaction published. Tags make it easy to group servers by different
358. # logical properties.
359. #tags: ["service-X", "web-tier"]
360.  
361. # Uncomment the following if you want to ignore transactions created
362. # by the server on which the shipper is installed. This option is useful
363. # to remove duplicates if shippers are installed on multiple servers.
364. #ignore_outgoing: true
365.  
366. # How often (in seconds) shippers are publishing their IPs to the topology map.
367. # The default is 10 seconds.
368. #refresh_topology_freq: 10
369.  
370. # Expiration time (in seconds) of the IPs published by a shipper to the topology map.
371. # All the IPs will be deleted afterwards. Note, that the value must be higher than
372. # refresh_topology_freq. The default is 15 seconds.
373. #topology_expire: 15
374.  
375. # Internal queue size for single events in processing pipeline
376. #queue_size: 1000
377.  
378. # Configure local GeoIP database support.
379. # If no paths are not configured geoip is disabled.
380. #geoip:
381. #paths:
382. # - "/usr/share/GeoIP/GeoLiteCity.dat"
383. # - "/usr/local/var/GeoIP/GeoLiteCity.dat"
384.  
385.  
386. ############################# Logging #########################################
387.  
388. # There are three options for the log ouput: syslog, file, stderr.
389. # Under Windos systems, the log files are per default sent to the file output,
390. # under all other system per default to syslog.
391. logging:
392.  
393. # Send all logging output to syslog. On Windows default is false, otherwise
394. # default is true.
395. #to_syslog: true
396.  
397. # Write all logging output to files. Beats automatically rotate files if rotateeverybytes
398. # limit is reached.
399. #to_files: false
400.  
401. # To enable logging to files, to_files option has to be set to true
402. files:
403. # The directory where the log files will written to.
404. #path: /var/log/mybeat
405.  
406. # The name of the files where the logs are written to.
407. #name: mybeat
408.  
409. # Configure log file size limit. If limit is reached, log file will be
410. # automatically rotated
411. rotateeverybytes: 10485760 # = 10MB
412.  
413. # Number of rotated log files to keep. Oldest files will be deleted first.
414. #keepfiles: 7
415.  
416. # Enable debug output for selected components. To enable all selectors use ["*"]
417. # Other available selectors are beat, publish, service
418. # Multiple selectors can be chained.
419. #selectors: [ ]
420.  
421. # Sets log level. The default log level is error.
422. # Available log levels are: critical, error, warning, info, debug
423. #level: error