Configure the Elasticsearch output
editConfigure the Elasticsearch output
editThe Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API.
Example configuration:
When sending data to a secured cluster through the elasticsearch
output, Auditbeat can use any of the following authentication methods:
- Basic authentication credentials (username and password).
- Token-based (API key) authentication.
- Public Key Infrastructure (PKI) certificates.
Basic authentication:
output.elasticsearch: hosts: ["https://myEShost:9200"] username: "auditbeat_writer" password: "YOUR_PASSWORD"
API key authentication:
output.elasticsearch: hosts: ["https://myEShost:9200"] api_key: "KnR6yE41RrSowb0kQ0HWoA"
PKI certificate authentication:
output.elasticsearch: hosts: ["https://myEShost:9200"] ssl.certificate: "/etc/pki/client/cert.pem" ssl.key: "/etc/pki/client/cert.key"
See Secure communication with Elasticsearch for details on each authentication method.
Compatibility
editThis output works with all compatible versions of Elasticsearch. See the Elastic Support Matrix.
Configuration options
editYou can specify the following options in the elasticsearch
section of the auditbeat.yml
config file:
enabled
editThe enabled config is a boolean setting to enable or disable the output. If set
to false
, the output is disabled.
The default value is true
.
hosts
editThe list of Elasticsearch nodes to connect to. The events are distributed to
these nodes in round robin order. If one node becomes unreachable, the event is
automatically sent to another node. Each Elasticsearch node can be defined as a URL
or IP:PORT
.
For example: http://192.15.3.2
, https://es.found.io:9230
or 192.24.3.2:9300
.
If no port is specified, 9200
is used.
output.elasticsearch: hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] protocol: https path: /elasticsearch
In the previous example, the Elasticsearch nodes are available at https://10.45.3.2:9220/elasticsearch
and
https://10.45.3.1:9230/elasticsearch
.
compression_level
editThe gzip compression level. Setting this value to 0
disables compression.
The compression level must be in the range of 1
(best speed) to 9
(best compression).
Increasing the compression level will reduce the network usage but will increase the cpu usage.
The default value is 0
.
escape_html
editConfigure escaping of HTML in strings. Set to true
to enable escaping.
The default value is false
.
worker
editThe number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
The default value is 1
.
api_key
editInstead of using a username and password, you can use API keys to secure communication
with Elasticsearch. The value must be the ID of the API key and the API key joined by a colon: id:api_key
.
See Grant access using API keys for more information.
username
editThe basic authentication username for connecting to Elasticsearch.
This user needs the privileges required to publish events to Elasticsearch. To create a user like this, see Create a publishing user.
password
editThe basic authentication password for connecting to Elasticsearch.
parameters
editDictionary of HTTP parameters to pass within the url with index operations.
protocol
editThe name of the protocol Elasticsearch is reachable on. The options are:
http
or https
. The default is http
. However, if you specify a URL for
hosts
, the value of protocol
is overridden by whatever scheme you
specify in the URL.
path
editAn HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.
headers
editCustom HTTP headers to add to each request created by the Elasticsearch output. Example:
output.elasticsearch.headers: X-My-Header: Header contents
It is possible to specify multiple header values for the same header name by separating them with a comma.
proxy_url
editThe URL of the proxy to use when connecting to the Elasticsearch servers. The value may be either a complete URL or a "host[:port]", in which case the "http" scheme is assumed. If a value is not specified through the configuration file then proxy environment variables are used. See the Go documentation for more information about the environment variables.
index
editThe index name to write events to when you’re using daily indices. The default is
"auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
, for example,
"auditbeat-7.13.4-2024-11-21"
. If you change this setting, you also
need to configure the setup.template.name
and setup.template.pattern
options
(see Elasticsearch index template).
If you are using the pre-built Kibana
dashboards, you also need to set the setup.dashboards.index
option (see
Kibana dashboards).
When index lifecycle management (ILM) is enabled, the default index
is
"auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}-%{index_num}"
, for example,
"auditbeat-7.13.4-2024-11-21-000001"
. Custom index
settings are ignored
when ILM is enabled. If you’re sending events to a cluster that supports index
lifecycle management, see Index lifecycle management (ILM) to learn how to change the index name.
You can set the index dynamically by using a format string to access any event
field. For example, this configuration uses a custom field, fields.log_type
,
to set the index:
output.elasticsearch: hosts: ["http://localhost:9200"] index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}"
With this configuration, all events with log_type: normal
are sent to an
index named normal-7.13.4-2024-11-21
, and all events with
log_type: critical
are sent to an index named
critical-7.13.4-2024-11-21
.
To learn how to add custom fields to events, see the
fields
option.
See the indices
setting for other ways to set the index
dynamically.
indices
editAn array of index selector rules. Each rule specifies the index to use for
events that match the rule. During publishing, Auditbeat uses the first
matching rule in the array. Rules can contain conditionals, format string-based
fields, and name mappings. If the indices
setting is missing or no rule
matches, the index
setting is used.
Similar to index
, defining custom indices
will disable Index lifecycle management (ILM).
Rule settings:
-
index
-
The index format string to use. If this string contains field
references, such as
%{[fields.name]}
, the fields must exist, or the rule fails. -
mappings
-
A dictionary that takes the value returned by
index
and maps it to a new name. -
default
-
The default string value to use if
mappings
does not find a match. -
when
- A condition that must succeed in order to execute the current rule. All the conditions supported by processors are also supported here.
The following example sets the index based on whether the message
field
contains the specified string:
output.elasticsearch: hosts: ["http://localhost:9200"] indices: - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}" when.contains: message: "WARN" - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}" when.contains: message: "ERR"
This configuration results in indices named warning-7.13.4-2024-11-21
and error-7.13.4-2024-11-21
(plus the default index if no matches are
found).
The following example sets the index by taking the name returned by the index
format string and mapping it to a new name that’s used for the index:
output.elasticsearch: hosts: ["http://localhost:9200"] indices: - index: "%{[fields.log_type]}" mappings: critical: "sev1" normal: "sev2" default: "sev3"
This configuration results in indices named sev1
, sev2
, and sev3
.
The mappings
setting simplifies the configuration, but is limited to string
values. You cannot specify format strings within the mapping pairs.
ilm
editConfiguration options for index lifecycle management.
See Index lifecycle management (ILM) for more information.
pipeline
editA format string value that specifies the ingest node pipeline to write events to.
output.elasticsearch: hosts: ["http://localhost:9200"] pipeline: my_pipeline_id
For more information, see Parse data by using ingest node.
You can set the ingest node pipeline dynamically by using a format string to
access any event field. For example, this configuration uses a custom field,
fields.log_type
, to set the pipeline for each event:
output.elasticsearch: hosts: ["http://localhost:9200"] pipeline: "%{[fields.log_type]}_pipeline"
With this configuration, all events with log_type: normal
are sent to a pipeline
named normal_pipeline
, and all events with log_type: critical
are sent to a
pipeline named critical_pipeline
.
To learn how to add custom fields to events, see the
fields
option.
See the pipelines
setting for other ways to set the
ingest node pipeline dynamically.
pipelines
editAn array of pipeline selector rules. Each rule specifies the ingest node
pipeline to use for events that match the rule. During publishing, Auditbeat
uses the first matching rule in the array. Rules can contain conditionals,
format string-based fields, and name mappings. If the pipelines
setting is
missing or no rule matches, the pipeline
setting is
used.
Rule settings:
-
pipeline
-
The pipeline format string to use. If this string contains field
references, such as
%{[fields.name]}
, the fields must exist, or the rule fails. -
mappings
-
A dictionary that takes the value returned by
pipeline
and maps it to a new name. -
default
-
The default string value to use if
mappings
does not find a match. -
when
- A condition that must succeed in order to execute the current rule. All the conditions supported by processors are also supported here.
The following example sends events to a specific pipeline based on whether the
message
field contains the specified string:
output.elasticsearch: hosts: ["http://localhost:9200"] pipelines: - pipeline: "warning_pipeline" when.contains: message: "WARN" - pipeline: "error_pipeline" when.contains: message: "ERR"
The following example sets the pipeline by taking the name returned by the
pipeline
format string and mapping it to a new name that’s used for the
pipeline:
output.elasticsearch: hosts: ["http://localhost:9200"] pipelines: - pipeline: "%{[fields.log_type]}" mappings: critical: "sev1_pipeline" normal: "sev2_pipeline" default: "sev3_pipeline"
With this configuration, all events with log_type: critical
are sent to
sev1_pipeline
, all events with log_type: normal
are sent to a
sev2_pipeline
, and all other events are sent to sev3_pipeline
.
For more information about ingest node pipelines, see Parse data by using ingest node.
max_retries
editThe number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
Set max_retries
to a value less than 0 to retry until all events are published.
The default is 3.
bulk_max_size
editThe maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 50.
Events can be collected into batches. Auditbeat will split batches larger than bulk_max_size
into multiple batches.
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
Setting bulk_max_size
to values less than or equal to 0 disables the
splitting of batches. When splitting is disabled, the queue decides on the
number of events to be contained in a batch.
backoff.init
editThe number of seconds to wait before trying to reconnect to Elasticsearch after
a network error. After waiting backoff.init
seconds, Auditbeat tries to
reconnect. If the attempt fails, the backoff timer is increased exponentially up
to backoff.max
. After a successful connection, the backoff timer is reset. The
default is 1s
.
backoff.max
editThe maximum number of seconds to wait before attempting to connect to
Elasticsearch after a network error. The default is 60s
.
timeout
editThe http request timeout in seconds for the Elasticsearch request. The default is 90.
ssl
editConfiguration options for SSL parameters like the certificate authority to use
for HTTPS-based connections. If the ssl
section is missing, the host CAs are used for HTTPS connections to
Elasticsearch.
See the secure communication with Elasticsearch guide or SSL configuration reference for more information.