beats

edit

This input plugin enables Logstash to receive events from the Elastic Beats framework.

The following example shows how to configure Logstash to listen on port 5044 for incoming Beats connections and to index into Elasticsearch:

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

The Beats shipper automatically sets the type field on the event. You cannot override this setting in the Logstash config. If you specify a setting for the type config option in Logstash, it is ignored.

 

Synopsis

edit

This plugin supports the following configuration options:

Required configuration options:

beats {
    port => ...
}

Available configuration options:

Setting Input type Required Default value

add_field

hash

No

{}

cipher_suites

array

No

client_inactivity_timeout

number

No

15

codec

codec

No

"plain"

congestion_threshold

number

No

5

host

string

No

"0.0.0.0"

include_codec_tag

boolean

No

true

port

number

Yes

ssl

boolean

No

false

ssl_certificate

a valid filesystem path

No

ssl_certificate_authorities

array

No

[]

ssl_handshake_timeout

number

No

10000

ssl_key

a valid filesystem path

No

ssl_key_passphrase

password

No

ssl_verify_mode

string, one of ["none", "peer", "force_peer"]

No

"none"

tags

array

No

tls_max_version

number

No

1.2

tls_min_version

number

No

1

type

string

No

Details

edit

 

add_field

edit
  • Value type is hash
  • Default value is {}

Add a field to an event

cipher_suites

edit
  • Value type is array
  • Default value is java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@210af31f

The list of ciphers suite to use, listed by priorities.

client_inactivity_timeout

edit
  • Value type is number
  • Default value is 15

Close Idle clients after X seconds of inactivity.

codec

edit
  • Value type is codec
  • Default value is "plain"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

congestion_threshold

edit
  • Value type is number
  • Default value is 5

The number of seconds before we raise a timeout. This option is useful to control how much time to wait if something is blocking the pipeline.

host

edit
  • Value type is string
  • Default value is "0.0.0.0"

The IP address to listen on.

include_codec_tag

edit
  • Value type is boolean
  • Default value is true

port

edit
  • This is a required setting.
  • Value type is number
  • There is no default value for this setting.

The port to listen on.

ssl

edit
  • Value type is boolean
  • Default value is false

Events are by default sent in plain text. You can enable encryption by setting ssl to true and configuring the ssl_certificate and ssl_key options.

ssl_certificate

edit
  • Value type is path
  • There is no default value for this setting.

SSL certificate to use.

ssl_certificate_authorities

edit
  • Value type is array
  • Default value is []

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure the ssl_verify_mode to peer or force_peer to enable the verification.

This feature only supports certificates that are directly signed by your root CA. Intermediate CAs are currently not supported.

ssl_handshake_timeout

edit
  • Value type is number
  • Default value is 10000

Time in milliseconds for an incomplete ssl handshake to timeout

ssl_key

edit
  • Value type is path
  • There is no default value for this setting.

SSL key to use.

ssl_key_passphrase

edit
  • Value type is password
  • There is no default value for this setting.

SSL key passphrase to use.

ssl_verify_mode

edit
  • Value can be any of: none, peer, force_peer
  • Default value is "none"

By default the server doesn’t do any client verification.

peer will make the server ask the client to provide a certificate. If the client provides a certificate, it will be validated.

force_peer will make the server ask the client to provide a certificate. If the client doesn’t provide a certificate, the connection will be closed.

This option needs to be used with ssl_certificate_authorities and a defined list of CAs.

tags

edit
  • Value type is array
  • There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

target_field_for_codec (DEPRECATED)

edit
  • DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
  • Value type is string
  • Default value is "message"

This is the default field to which the specified codec will be applied.

tls_max_version

edit
  • Value type is number
  • Default value is 1.2

The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2

tls_min_version

edit
  • Value type is number
  • Default value is 1

The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2

type

edit
  • Value type is string
  • There is no default value for this setting.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.