Configure the Elasticsearch output

edit

When you specify Elasticsearch for the output, Auditbeat sends the transactions directly to Elasticsearch by using the Elasticsearch HTTP API.

Example configuration:

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  index: "auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}"
  ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  ssl.certificate: "/etc/pki/client/cert.pem"
  ssl.key: "/etc/pki/client/cert.key"

Notes about the previous example and client based PKI authentication:

  • The ssl.certificate and ssl.key settings are ONLY needed if Elasticsearch is configured to require client based PKI authentication (with xpack.security.http.ssl.client_authentication: required or xpack.security.http.ssl.client_authentication: optional).
  • The ssl.certificate_authorities setting needs to include the CA used to sign the remote server certificate, not the client cert.
  • If client PKI is used, the remote server (Elasticsearch) should include the CA used for signing the client cert in the xpack.security.http.ssl.certificate_authorities: [] list.

To enable SSL, just add https to all URLs defined under hosts.

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  username: "auditbeat_internal"
  password: "YOUR_PASSWORD"

If the Elasticsearch nodes are defined by IP:PORT, then add protocol: https to the yaml file.

output.elasticsearch:
  hosts: ["localhost"]
  protocol: "https"
  username: "auditbeat_internal"
  password: "YOUR_PASSWORD"

For more information about securing Auditbeat, see Securing Auditbeat.

If you are indexing large amounts of time-series data, you might also want to configure Auditbeat to use index lifecycle management. For more information about configuring and using index lifecycle management with Auditbeat, see Configure index lifecycle management.

Compatibility

edit

This output works with all compatible versions of Elasticsearch. See the Elastic Support Matrix.

Configuration options

edit

You can specify the following options in the elasticsearch section of the auditbeat.yml config file:

enabled

edit

The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.

The default value is true.

hosts

edit

The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a URL or IP:PORT. For example: http://192.15.3.2, https://es.found.io:9230 or 192.24.3.2:9300. If no port is specified, 9200 is used.

When a node is defined as an IP:PORT, the scheme and path are taken from the protocol and path config options.

output.elasticsearch:
  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"]
  protocol: https
  path: /elasticsearch

In the previous example, the Elasticsearch nodes are available at https://10.45.3.2:9220/elasticsearch and https://10.45.3.1:9230/elasticsearch.

compression_level

edit

The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).

Increasing the compression level will reduce the network usage but will increase the cpu usage.

The default value is 0.

escape_html

edit

Configure escaping of HTML in strings. Set to true to enable escaping.

The default value is false.

worker

edit

The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).

The default value is 1.

username

edit

The basic authentication username for connecting to Elasticsearch.

password

edit

The basic authentication password for connecting to Elasticsearch.

parameters

edit

Dictionary of HTTP parameters to pass within the url with index operations.

protocol

edit

The name of the protocol Elasticsearch is reachable on. The options are: http or https. The default is http. However, if you specify a URL for hosts, the value of protocol is overridden by whatever scheme you specify in the URL.

path

edit

An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.

headers

edit

Custom HTTP headers to add to each request created by the Elasticsearch output. Example:

output.elasticsearch.headers:
  X-My-Header: Header contents

It is generally possible to specify multiple header values for the same header name by separating them with a comma.

proxy_url

edit

The URL of the proxy to use when connecting to the Elasticsearch servers. The value may be either a complete URL or a "host[:port]", in which case the "http" scheme is assumed. If a value is not specified through the configuration file then proxy environment variables are used. See the Go documentation for more information about the environment variables.

index

edit

The index name to write events to when you’re using daily indices. The default is "auditbeat-%{[agent.version]}-%{+yyyy.MM.dd}" (for example, "auditbeat-7.5.2-2024-11-22"). If you change this setting, you also need to configure the setup.template.name and setup.template.pattern options (see Load the Elasticsearch index template).

If you are using the pre-built Kibana dashboards, you also need to set the setup.dashboards.index option (see Load the Kibana dashboards).

The index setting is ignored when index lifecycle management is enabled. If you’re sending events to a cluster that supports index lifecycle management, see Configure index lifecycle management to learn how to change the index name.

You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, fields.log_type, to set the index:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}" 

We recommend including agent.version in the name to avoid mapping issues when you upgrade.

With this configuration, all events with log_type: normal are sent to an index named normal-7.5.2-2024-11-22, and all events with log_type: critical are sent to an index named critical-7.5.2-2024-11-22.

To learn how to add custom fields to events, see the fields option.

See the indices setting for other ways to set the index dynamically.

indices

edit

An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, Auditbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the indices setting is missing or no rule matches, the index setting is used.

Rule settings:

index
The index format string to use. If this string contains field references, such as %{[fields.name]}, the fields must exist, or the rule fails.
mappings
A dictionary that takes the value returned by index and maps it to a new name.
default
The default string value to use if mappings does not find a match.
when
A condition that must succeed in order to execute the current rule. All the conditions supported by processors are also supported here.

The following example sets the index based on whether the message field contains the specified string:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  indices:
    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "WARN"
    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "ERR"

This configuration results in indices named warning-7.5.2-2024-11-22 and error-7.5.2-2024-11-22 (plus the default index if no matches are found).

The following example sets the index by taking the name returned by the index format string and mapping it to a new name that’s used for the index:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  indices:
    - index: "%{[fields.log_type]}"
      mappings:
        critical: "sev1"
        normal: "sev2"
      default: "sev3"

This configuration results in indices named sev1, sev2, and sev3.

The mappings setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.

ilm

edit

Configuration options for index lifecycle management.

See Configure index lifecycle management for more information.

pipeline

edit

A format string value that specifies the ingest node pipeline to write events to.

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipeline: my_pipeline_id

For more information, see Parse data by using ingest node.

You can set the ingest node pipeline dynamically by using a format string to access any event field. For example, this configuration uses a custom field, fields.log_type, to set the pipeline for each event:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipeline: "%{[fields.log_type]}_pipeline"

With this configuration, all events with log_type: normal are sent to a pipeline named normal_pipeline, and all events with log_type: critical are sent to a pipeline named critical_pipeline.

To learn how to add custom fields to events, see the fields option.

See the pipelines setting for other ways to set the ingest node pipeline dynamically.

pipelines

edit

An array of pipeline selector rules. Each rule specifies the ingest node pipeline to use for events that match the rule. During publishing, Auditbeat uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the pipelines setting is missing or no rule matches, the pipeline setting is used.

Rule settings:

pipeline
The pipeline format string to use. If this string contains field references, such as %{[fields.name]}, the fields must exist, or the rule fails.
mappings
A dictionary that takes the value returned by pipeline and maps it to a new name.
default
The default string value to use if mappings does not find a match.
when
A condition that must succeed in order to execute the current rule. All the conditions supported by processors are also supported here.

The following example sends events to a specific pipeline based on whether the message field contains the specified string:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipelines:
    - pipeline: "warning_pipeline"
      when.contains:
        message: "WARN"
    - pipeline: "error_pipeline"
      when.contains:
        message: "ERR"

The following example sets the pipeline by taking the name returned by the pipeline format string and mapping it to a new name that’s used for the pipeline:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipelines:
    - pipeline: "%{[fields.log_type]}"
      mappings:
        critical: "sev1_pipeline"
        normal: "sev2_pipeline"
      default: "sev3_pipeline"

With this configuration, all events with log_type: critical are sent to sev1_pipeline, all events with log_type: normal are sent to a sev2_pipeline, and all other events are sent to sev3_pipeline.

For more information about ingest node pipelines, see Parse data by using ingest node.

max_retries

edit

The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.

Set max_retries to a value less than 0 to retry until all events are published.

The default is 3.

bulk_max_size

edit

The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 50.

Events can be collected into batches. Auditbeat will split batches larger than bulk_max_size into multiple batches.

Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.

Setting bulk_max_size to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.

backoff.init

edit

The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting backoff.init seconds, Auditbeat tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to backoff.max. After a successful connection, the backoff timer is reset. The default is 1s.

backoff.max

edit

The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.

timeout

edit

The http request timeout in seconds for the Elasticsearch request. The default is 90.

ssl

edit

Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the ssl section is missing, the host CAs are used for HTTPS connections to Elasticsearch.

See Specify SSL settings for more information.