- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_session_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Add Cloud Foundry metadata
editAdd Cloud Foundry metadata
editThe add_cloudfoundry_metadata
processor annotates each event with relevant metadata
from Cloud Foundry applications. The events are annotated with Cloud Foundry metadata,
only if the event contains a reference to a Cloud Foundry application (using field
cloudfoundry.app.id
) and the configured Cloud Foundry client is able to retrieve
information for the application.
Each event is annotated with:
- Application Name
- Space ID
- Space Name
- Organization ID
- Organization Name
Pivotal Application Service and Tanzu Application Service include this
metadata in all events from the firehose since version 2.8. In these cases the
metadata in the events is used, and add_cloudfoundry_metadata
processor
doesn’t modify these fields.
For efficient annotation, application metadata retrieved by the Cloud Foundry
client is stored in a persistent cache on the filesystem under the path.data
directory. This is done so the metadata can persist across restarts of Auditbeat.
For control over this cache, use the cache_duration
and cache_retry_delay
settings.
processors: - add_cloudfoundry_metadata: api_address: https://api.dev.cfdev.sh client_id: uaa-filebeat client_secret: verysecret ssl: verification_mode: none # To connect to Cloud Foundry over verified TLS you can specify a client and CA certificate. #ssl: # certificate_authorities: ["/etc/pki/cf/ca.pem"] # certificate: "/etc/pki/cf/cert.pem" # key: "/etc/pki/cf/cert.key"
It has the following settings:
-
api_address
-
(Optional) The URL of the Cloud Foundry API. It uses
http://api.bosh-lite.com
by default. -
doppler_address
- (Optional) The URL of the Cloud Foundry Doppler Websocket. It uses value from ${api_address}/v2/info by default.
-
uaa_address
- (Optional) The URL of the Cloud Foundry UAA API. It uses value from ${api_address}/v2/info by default.
-
rlp_address
- (Optional) The URL of the Cloud Foundry RLP Gateway. It uses value from ${api_address}/v2/info by default.
-
client_id
- Client ID to authenticate with Cloud Foundry.
-
client_secret
- Client Secret to authenticate with Cloud Foundry.
-
cache_duration
- (Optional) Maximum amount of time to cache an application’s metadata. Defaults to 120 seconds.
-
cache_retry_delay
- (Optional) Time to wait before trying to obtain an application’s metadata again in case of error. Defaults to 20 seconds.
-
ssl
- (Optional) SSL configuration to use when connecting to Cloud Foundry.