WARNING: Version 5.4 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Redis Output
editRedis Output
editThe Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the Redis input plugin for Logstash.
Example configuration:
output.redis: hosts: ["localhost"] password: "my_password" key: "winlogbeat" db: 0 timeout: 5
Compatibility
editThis output works with Redis 3.2.4.
Redis Output Options
editYou can specify the following options in the redis
section of the winlogbeat.yml
config file:
enabled
editThe enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
The default value is true.
hosts
editThe list of Redis servers to connect to. If load balancing is enabled, the events are
distributed to the servers in the list. If one server becomes unreachable, the events are
distributed to the reachable servers only. You can define each Redis server by specifying
HOST
or HOST:PORT
. For example: "192.15.3.2"
or "test.redis.io:12345"
. If you
don’t specify a port number, the value configured by port
is used.
port
editDeprecated in 5.0.0.
The Redis port to use if hosts
does not contain a port number. The default is 6379.
index
editDeprecated in 5.0.0.
The index
setting is renamed to key
The name of the Redis list or channel the events are published to. The default is "winlogbeat".
key
editThe name of the Redis list or channel the events are published to. The default is "winlogbeat".
The redis key can be set dynamically using a format string accessing any fields in the event to be published.
This configuration will use the fields.list
field to set the redis list key. If
fields.list
is missing, fallback
will be used.
output.redis: hosts: ["localhost"] key: "%{[fields.list]:fallback}"
keys
editArray of key selector configurations supporting conditionals, format string
based field access and name mappings. The first rule matching will be used to
set the key
for the event to be published. If keys
is missing or no
rule matches, the key
field will be used.
Rule settings:
key
: The key format string. If the fields used in the format string are missing, the rule fails.
mapping
: Dictionary mapping key values to new names
default
: Default string value if mapping
does not find a match.
when
: Condition which must succeed in order to execute the current rule.
Example keys
settings:
output.redis: hosts: ["localhost"] key: "default_list" keys: - key: "info_list" # send to info_list if `message` field contains INFO when.contains: message: "INFO" - key: "debug_list" # send to debug_list if `message` field contains DEBUG when.contains: message: "DEBUG" - key: "%{[type]}" mapping: "http": "frontend_list" "nginx": "frontend_list" "mysql": "backend_list"
password
editThe password to authenticate with. The default is no authentication.
db
editThe Redis database number where the events are published. The default is 0.
datatype
editThe Redis data type to use for publishing events.If the data type is list
, the
Redis RPUSH command is used and all events are added to the list with the key defined under key
.
If the data type channel
is used, the Redis PUBLISH
command is used and means that all events
are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under key
.
The default value is list
.
codec
editOutput codec configuration. If the codec
section is missing, events will be json encoded.
See Output Codec for more information.
host_topology
editDeprecated in 5.0.0.
The Redis host to connect to when using topology map support. Topology map support is disabled if this option is not set.
password_topology
editDeprecated in 5.0.0.
The password to use for authenticating with the Redis topology server. The default is no authentication.
db_topology
editDeprecated in 5.0.0.
The Redis database number where the topology information is stored. The default is 1.
worker
editThe number of workers to use for each host configured to publish events to Redis. Use this setting along with the
loadbalance
option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
loadbalance
editIf set to true and multiple hosts or workers are configured, the output plugin load balances published events onto all Redis hosts. If set to false, the output plugin sends all events to only one host (determined at random) and will switch to another host if the currently selected one becomes unreachable. The default value is true.
timeout
editThe Redis connection timeout in seconds. The default is 5 seconds.
max_retries
editThe number of times to retry publishing an event after a publishing failure.
After the specified number of retries, the events are typically dropped.
Some Beats, such as Filebeat, ignore the max_retries
setting and retry until all
events are published.
Set max_retries
to a value less than 0 to retry until all events are published.
The default is 3.
bulk_max_size
editThe maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
If the Beat sends single events, the events are collected into batches. If the
Beat publishes a large batch of events (larger than the value specified by
bulk_max_size
), the batch is split.
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
Setting bulk_max_size
to values less than or equal to 0 disables buffering in
libbeat. When buffering is disabled, Beats that publish single events (such as
Packetbeat) send each event directly to Redis. Beats that publish
data in batches (such as Filebeat) send events in batches based on the spooler
size.
ssl
editConfiguration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example stunnel). See SSL for more information.
proxy_url
editThe URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
value must be a URL with a scheme of socks5://
. You cannot use a web proxy
because the protocol used to communicate with Redis is not based on HTTP.
If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the proxy_use_local_resolver option.
proxy_use_local_resolver
editThis option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.