- Filebeat Reference: other versions:
- Filebeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- Multiline messages
- AWS CloudWatch
- AWS S3
- Azure Event Hub
- Azure Blob Storage
- Benchmark
- CEL
- Cloud Foundry
- CometD
- Container
- Entity Analytics
- ETW
- filestream
- GCP Pub/Sub
- Google Cloud Storage
- HTTP Endpoint
- HTTP JSON
- journald
- Kafka
- Log
- MQTT
- NetFlow
- Office 365 Management Activity API
- Redis
- Salesforce
- Stdin
- Streaming
- Syslog
- TCP
- UDP
- Unix
- winlog
- Modules
- General settings
- Project paths
- Config file loading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- cache
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- filebeat.reference.yml
- Inputs
- How to guides
- Override configuration settings
- Load the Elasticsearch index template
- Change the index name
- Load Kibana dashboards
- Load ingest pipelines
- Enrich events with geoIP information
- Deduplicate data
- Parse data using an ingest pipeline
- Use environment variables in the configuration
- Avoid YAML formatting problems
- Migrate
log
input configurations tofilestream
- Migrating from a Deprecated Filebeat Module
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- AWS Fargate module
- Azure module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- CrowdStrike module
- Cyberark PAS module
- Elasticsearch module
- Envoyproxy Module
- Fortinet module
- Google Cloud module
- Google Workspace module
- HAproxy module
- IBM MQ module
- Icinga module
- IIS module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- NATS module
- NetFlow module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- pensando module
- PostgreSQL module
- RabbitMQ module
- Redis module
- Salesforce module
- Santa module
- Snyk module
- Sophos module
- Suricata module
- System module
- Threat Intel module
- Traefik module
- Zeek (Bro) Module
- ZooKeeper module
- Zoom module
- Exported fields
- ActiveMQ fields
- Apache fields
- Auditd fields
- AWS fields
- AWS CloudWatch fields
- AWS Fargate fields
- Azure fields
- Beat fields
- Decode CEF processor fields fields
- CEF fields
- Checkpoint fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Crowdstrike fields
- CyberArk PAS fields
- Docker fields
- ECS fields
- Elasticsearch fields
- Envoyproxy fields
- Fortinet fields
- Google Cloud Platform (GCP) fields
- google_workspace fields
- HAProxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Juniper JUNOS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- Lumberjack fields
- Microsoft fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- MySQL Enterprise fields
- NATS fields
- NetFlow fields
- Nginx fields
- Office 365 fields
- Okta fields
- Oracle fields
- Osquery fields
- panw fields
- Pensando fields
- PostgreSQL fields
- Process fields
- RabbitMQ fields
- Redis fields
- s3 fields
- Salesforce fields
- Google Santa fields
- Snyk fields
- sophos fields
- Suricata fields
- System fields
- threatintel fields
- Traefik fields
- Windows ETW fields
- Zeek fields
- ZooKeeper fields
- Zoom fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Common problems
- Error extracting container id while using Kubernetes metadata
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Autodiscover
editAutodiscover
editWhen you run applications on containers, they become moving targets to the monitoring system. Autodiscover allows you to track them and adapt settings as changes happen. By defining configuration templates, the autodiscover subsystem can monitor services as they start running.
You define autodiscover settings in the filebeat.autodiscover
section of the filebeat.yml
config file. To enable autodiscover, you specify a list of providers.
Providers
editAutodiscover providers work by watching for events on the system and translating those events into internal autodiscover events with a common format. When you configure the provider, you can optionally use fields from the autodiscover event to set conditions that, when met, launch specific configurations.
On start, Filebeat will scan existing containers and launch the proper configs for them. Then it will watch for new start/stop events. This ensures you don’t need to worry about state, but only define your desired configs.
Docker
editThe Docker autodiscover provider watches for Docker containers to start and stop.
It has the following settings:
-
host
-
(Optional) Docker socket (UNIX or TCP socket). It uses
unix:///var/run/docker.sock
by default. -
ssl
- (Optional) SSL configuration to use when connecting to the Docker socket.
-
cleanup_timeout
- (Optional) Specify the time of inactivity before stopping the running configuration for a container, 60s by default.
-
labels.dedot
-
(Optional) Default to be false. If set to true, replace dots in
labels with
_
.
These are the fields available within config templating. The docker.*
fields will be available on each emitted event.
event:
- host
- port
- docker.container.id
- docker.container.image
- docker.container.name
- docker.container.labels
For example:
{ "host": "10.4.15.9", "port": 6379, "docker": { "container": { "id": "382184ecdb385cfd5d1f1a65f78911054c8511ae009635300ac28b4fc357ce51" "name": "redis", "image": "redis:3.2.11", "labels": { "io.kubernetes.pod.namespace": "default" ... } } } }
You can define a set of configuration templates to be applied when the condition matches an event. Templates define a condition to match on autodiscover events, together with the list of configurations to launch when this condition happens.
Conditions match events from the provider. Providers use the same format for Conditions that processors use.
Configuration templates can contain variables from the autodiscover event. They can be accessed under the data
namespace.
For example, with the example event, "${data.port}
" resolves to 6379
.
Filebeat supports templates for inputs and modules.
filebeat.autodiscover: providers: - type: docker templates: - condition: contains: docker.container.image: redis config: - type: container paths: - /var/lib/docker/containers/${data.docker.container.id}/*.log exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
This configuration launches a docker
logs input for all containers running an image with redis
in the name.
labels.dedot
defaults to be true
for docker autodiscover, which means dots in docker labels are replaced with _ by default.
If you are using modules, you can override the default input and use the docker input instead.
filebeat.autodiscover: providers: - type: docker templates: - condition: contains: docker.container.image: redis config: - module: redis log: input: type: container paths: - /var/lib/docker/containers/${data.docker.container.id}/*.log
When using autodiscover, you have to be careful when defining config templates, especially if they are reading from places holding information for several containers. For instance, under this file structure:
/mnt/logs/<container_id>/*.log
You can define a config template like this:
Wrong settings:
autodiscover.providers: - type: docker templates: - condition.contains: docker.container.image: nginx config: - type: log paths: - "/mnt/logs/*/*.log"
That would read all the files under the given path several times (one per nginx container). What you really want is to scope your template to the container that matched the autodiscover condition. Good settings:
autodiscover.providers: - type: docker templates: - condition.contains: docker.container.image: nginx config: - type: log paths: - "/mnt/logs/${data.docker.container.id}/*.log"
Kubernetes
editThe Kubernetes autodiscover provider watches for Kubernetes nodes, pods, services to start, update, and stop.
The kubernetes
autodiscover provider has the following configuration settings:
-
node
- (Optional) Specify the node to scope filebeat to in case it cannot be accurately detected, as when running filebeat in host network mode.
-
namespace
-
(Optional) Select the namespace from which to collect the events from the resources. If it is not set, the provider collects them from all namespaces. It is unset by default. The namespace configuration only applies to kubernetes resources that are namespace scoped and if
unique
field is set tofalse
. -
cleanup_timeout
- (Optional) Specify the time of inactivity before stopping the running configuration for a container, 60s by default.
-
kube_config
- (Optional) Use given config file as configuration for Kubernetes client. If kube_config is not set, KUBECONFIG environment variable will be checked and if not present it will fall back to InCluster.
-
kube_client_options
- (Optional) Additional options can be configured for Kubernetes client. Currently client QPS and burst are supported, if not set Kubernetes client’s default QPS and burst will be used. Example:
kube_client_options: qps: 5 burst: 10
-
resource
-
(Optional) Select the resource to do discovery on. Currently supported
Kubernetes resources are
pod
,service
andnode
. If not configuredresource
defaults topod
. -
scope
-
(Optional) Specify at what level autodiscover needs to be done at.
scope
can either takenode
orcluster
as values.node
scope allows discovery of resources in the specified node.cluster
scope allows cluster wide discovery. Onlypod
andnode
resources can be discovered at node scope. -
add_resource_metadata
-
(Optional) Specify filters and configration for the extra metadata, that will be added to the event. Configuration parameters:
-
node
ornamespace
: Specify labels and annotations filters for the extra metadata coming from node and namespace. By default all labels are included while annotations are not. To change default behaviourinclude_labels
,exclude_labels
andinclude_annotations
can be defined. Those settings are useful when storing labels and annotations that require special handling to avoid overloading the storage output. Note: wildcards are not supported for those settings. The enrichment ofnode
ornamespace
metadata can be individually disabled by settingenabled: false
. -
deployment
: If resource ispod
and it is created from adeployment
, by default the deployment name isn’t added, this can be enabled by settingdeployment: true
. -
cronjob
: If resource ispod
and it is created from acronjob
, by default the cronjob name isn’t added, this can be enabled by settingcronjob: true
.Example:
-
add_resource_metadata: namespace: include_labels: ["namespacelabel1"] node: include_labels: ["nodelabel2"] include_annotations: ["nodeannotation1"] # deployment: false # cronjob: false
-
unique
-
(Optional) Defaults to
false
. Marking an autodiscover provider as unique results into making the provider to enable the provided templates only when it will gain the leader lease. This setting can only be combined withcluster
scope. Whenunique
is enabled,resource
andadd_resource_metadata
settings are not taken into account. -
leader_lease
-
(Optional) Defaults to
filebeat-cluster-leader
. This will be name of the lock lease. One can monitor the status of the lease withkubectl describe lease beats-cluster-leader
. Different Beats that refer to the same leader lease will be competitors in holding the lease and only one will be elected as leader each time. -
leader_leaseduration
-
(Optional) Duration that non-leader candidates will wait to force acquire the lease leadership. Defaults to
15s
. -
leader_renewdeadline
-
(Optional) Duration that the leader will retry refreshing its leadership before giving up. Defaults to
10s
. -
leader_retryperiod
-
(Optional) Duration that the metricbeat instances running to acquire the lease should wait between tries of actions. Defaults to
2s
.
Configuration templates can contain variables from the autodiscover event. These variables can be accessed under the data
namespace, e.g. to access Pod IP: ${data.kubernetes.pod.ip}
.
These are the fields available within config templating. The kubernetes.*
fields will be available on each emitted event:
Generic fields:
edit- host
Pod specific:
editKey | Type | Description |
---|---|---|
|
|
Pod port. If pod has multiple ports exposed should be used |
|
|
Namespace, where the Pod is running |
|
|
UUID of the Namespace, where the Pod is running |
|
|
Annotations of the Namespace, where the Pod is running. Annotations should be used in not dedoted format, e.g. |
|
|
Name of the Pod |
|
|
UID of the Pod |
|
|
IP of the Pod |
|
|
Object of the Pod labels. Labels should be used in not dedoted format, e.g. |
|
|
Object of the Pod annotations. Annotations should be used in not dedoted format, e.g. |
|
|
Name of the container |
|
|
Runtime of the container |
|
|
ID of the container |
|
|
Image of the container |
|
|
Name of the Node |
|
|
UID of the Node |
|
|
Hostname of the Node |
Node specific:
editKey | Type | Description |
---|---|---|
|
|
Object of labels of the Node |
|
|
Object of annotations of the Node |
|
|
Name of the Node |
|
|
UID of the Node |
|
|
Hostname of the Node |
Service specific:
editKey | Type | Description |
---|---|---|
|
|
Service port |
|
|
Namespace of the Service |
|
|
UUID of the Namespace of the Service |
|
|
Annotations of the Namespace of the Service. Annotations should be used in not dedoted format, e.g. |
|
|
Object of the Service labels |
|
|
Object of the Service annotations |
|
|
Name of the Service |
|
|
UID of the Service |
If the include_annotations
config is added to the provider config, then the list of annotations present in the config
are added to the event.
If the include_labels
config is added to the provider config, then the list of labels present in the config
will be added to the event.
If the exclude_labels
config is added to the provider config, then the list of labels present in the config
will be excluded from the event.
if the labels.dedot
config is set to be true
in the provider config, then .
in labels will be replaced with _
.
By default it is true
.
if the annotations.dedot
config is set to be true
in the provider config, then .
in annotations will be replaced
with _
. By default it is true
.
Starting from 8.6 release kubernetes.labels.*
used in config templating are not dedoted regardless of labels.dedot
value.
This config parameter only affects the fields added in the final Elasticsearch document. For example, for a pod with label app.kubernetes.io/name=ingress-nginx
the matching condition should be condition.equals:
kubernetes.labels.app.kubernetes.io/name: "ingress-nginx"
. If labels.dedot
is set to true
(default value)
the label will be stored in Elasticsearch as kubernetes.labels.app_kubernetes_io/name
. The same applies for kubernetes annotations.
For example:
{ "host": "172.17.0.21", "port": 9090, "kubernetes": { "container": { "id": "bb3a50625c01b16a88aa224779c39262a9ad14264c3034669a50cd9a90af1527", "image": "prom/prometheus", "name": "prometheus" }, "labels": { "project": "prometheus", ... }, "namespace": "default", "node": { "name": "minikube" }, "pod": { "name": "prometheus-2657348378-k1pnh" } }, }
Filebeat supports templates for inputs and modules.
filebeat.autodiscover: providers: - type: kubernetes templates: - condition: equals: kubernetes.namespace: kube-system config: - type: container paths: - /var/log/containers/*-${data.kubernetes.container.id}.log exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
This configuration launches a docker
logs input for all containers of pods running in the Kubernetes namespace
kube-system
.
If you are using modules, you can override the default input and use the docker input instead.
filebeat.autodiscover: providers: - type: kubernetes templates: - condition: equals: kubernetes.container.image: "redis" config: - module: redis log: input: type: container paths: - /var/log/containers/*-${data.kubernetes.container.id}.log
Jolokia
editThe Jolokia autodiscover provider uses Jolokia Discovery to find agents running in your host or your network.
The configuration of this provider consists in a set of network interfaces, as
well as a set of templates as in other providers. The network interfaces will be
the ones used for discovery probes, each item of interfaces
has these settings:
-
name
-
the name of the interface (e.g.
br0
), it can contain a wildcard as suffix to apply the same settings to multiple network interfaces of the same type (e.g.br*
). -
interval
- time between probes (defaults to 10s)
-
grace_period
- time since the last reply to consider an instance stopped (defaults to 30s)
-
probe_timeout
- max time to wait for responses since a probe is sent (defaults to 1s)
Jolokia Discovery mechanism is supported by any Jolokia agent since version 1.2.0, it is enabled by default when Jolokia is included in the application as a JVM agent, but disabled in other cases as the OSGI or WAR (Java EE) agents. In any case, this feature is controlled with two properties:
-
discoveryEnabled
, to enable the feature -
discoveryAgentUrl
, if set, this is the URL announced by the agent when being discovered, setting this parameter implicitly enables the feature
There are multiple ways of setting these properties, and they can vary from application to application, please refer to the documentation of your application to find the more suitable way to set them in your case.
Jolokia Discovery is based on UDP multicast requests. Agents join the multicast group 239.192.48.84, port 24884, and discovery is done by sending queries to this group. You have to take into account that UDP traffic between Filebeat and the Jolokia agents has to be allowed. Also notice that this multicast address is in the 239.0.0.0/8 range, that is reserved for private use within an organization, so it can only be used in private networks.
These are the available fields during within config templating. The jolokia.*
fields will be available on each emitted event.
- jolokia.agent.id
- jolokia.agent.version
- jolokia.secured
- jolokia.server.product
- jolokia.server.vendor
- jolokia.server.version
- jolokia.url
Filebeat supports templates for inputs and modules:
filebeat.autodiscover: providers: - type: jolokia interfaces: - name: lo templates: - condition: contains: jolokia.server.product: "kafka" config: - module: kafka log: enabled: true var.paths: - /var/log/kafka/*.log
This configuration starts a jolokia module that collects logs of kafka if it is running. Discovery probes are sent using the local interface.
Nomad
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The Nomad autodiscover provider watches for Nomad jobs to start, update, and stop.
The nomad
autodiscover provider has the following configuration settings:
-
address
-
(Optional) Specify the address of the Nomad agent. By default it will try to talk to a
Nomad agent running locally (
http://127.0.0.1:4646
). -
region
- (Optional) Region to use. If not provided, the default agent region is used.
-
namespace
-
(Optional) Namespace to use. If not provided the
default
namespace is used. -
secret_id
- (Optional) SecretID to use if ACL is enabled in Nomad. This is an example ACL policy to apply to the token.
namespace "*" { policy = "read" } node { policy = "read" } agent { policy = "read" }
-
node
-
(Optional) Specify the node to scope filebeat to in case it
cannot be accurately detected when
node
scope is used. -
scope
-
(Optional) Specify at what level autodiscover needs to be done at.
scope
can either takenode
orcluster
as values.node
scope allows discovery of resources in the specified node.cluster
scope allows cluster wide discovery. Defaults tonode
. -
wait_time
-
(Optional) Limits how long a Watch will block. If not specified (or set to
0
) the default configuration from the agent will be used. -
allow_stale
-
(Optional) allows any Nomad server (non-leader) to service a read. This normally
means that the local node where filebeat is allocated will service filebeat’s requests.
Defaults to
true
.
The configuration of templates and conditions is similar to that of the Docker provider.
Configuration templates can contain variables from the autodiscover event. They can be accessed under
data
namespace.
These are the available fields during config templating. The nomad.*
fields will be available
on each emitted event.
- nomad.allocation.id
- nomad.allocation.name
- nomad.allocation.status
- nomad.datacenter
- nomad.job.name
- nomad.job.type
- nomad.namespace
- nomad.region
- nomad.task.name
- nomad.task.service.canary_tags
- nomad.task.service.name
- nomad.task.service.tags
If the include_labels
config is added to the provider config, then the list of labels present in
the config will be added to the event.
If the exclude_labels
config is added to the provider config, then the list of labels present in
the config will be excluded from the event.
if the labels.dedot
config is set to be true
in the provider config, then .
in labels will be
replaced with _
.
For example:
{ ... "region": "europe", "allocation": { "name": "coffeshop.api[0]", "id": "35eba07f-e5e4-20ac-6def-85117bee6efb", "status": "running" }, "datacenters": [ "europe-west4" ], "namespace": "default", "job": { "type": "service", "name": "coffeshop" }, "task": { "service": { "name": [ "coffeshop" ], "tags": [ "coffeshop", "nginx" ], "canary_tags": [ "coffeshop" ] }, "name": "api" }, ... }
Filebeat supports templates for inputs and modules.
filebeat.autodiscover: providers: - type: nomad node: nomad1 scope: local hints.enabled: true allow_stale: true templates: - condition: equals: nomad.namespace: web config: - type: log paths: - /var/lib/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.stderr.[0-9]* exclude_lines: ["^\\s+[\\-`('.|_]"] # drop asciiart lines
This configuration launches a log
input for all jobs under the web
Nomad namespace.
If you are using modules, you can override the default input and customize it to read from the
${data.nomad.task.name}.stdout
and/or ${data.nomad.task.name}.stderr
files.
filebeat.autodiscover: providers: - type: nomad templates: - condition: equals: nomad.task.service.tags: "redis" config: - module: redis log: input: type: log paths: - /var/lib/nomad/alloc/${data.nomad.allocation.id}/alloc/logs/${data.nomad.task.name}.*
The docker
input is currently not supported. Nomad doesn’t expose the container ID
associated with the allocation. Without the container ID, there is no way of generating the proper
path for reading the container’s logs.
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now