Elastic Agent inputs

edit

When you configure inputs for standalone Elastic Agents, the following values are supported for the input type parameter.

Expand any section to view the available inputs:

Audit the activities of users and processes on your systems
Input Description Learn more

audit/auditd

Receives audit events from the Linux Audit Framework that is a part of the Linux kernel.

Auditd Module (Auditbeat docs)

audit/file_integrity

Sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes.

File Integrity Module (Auditbeat docs)

audit/system

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Collects various security related information about a system. All datasets send both periodic state information (e.g. all currently running processes) and real-time changes (e.g. when a new process starts or stops).

System Module (Auditbeat docs)

Collect metrics from operating systems and services running on your servers
Input Description Learn more

activemq/metrics

Periodically fetches JMX metrics from Apache ActiveMQ.

ActiveMQ module (Metricbeat docs)

apache/metrics

Periodically fetches metrics from Apache HTTPD servers.

Apache module (Metricbeat docs)

aws/metrics

Periodically fetches monitoring metrics from AWS CloudWatch using GetMetricData API for AWS services.

AWS module (Metricbeat docs)

awsfargate/metrics

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Retrieves various metadata, network metrics, and Docker stats about tasks and containers.

AWS Fargate module (Metricbeat docs)

azure/metrics

Collects and aggregates Azure logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting.

Azure module (Metricbeat docs)

beat/metrics

Collects metrics about any Beat or other software based on libbeat.

Beat module (Metricbeat docs)

cloudfoundry/metrics

Connects to Cloud Foundry loggregator to gather container, counter, and value metrics into a common data platform where it can be used for analysis, visualization, and alerting.

Cloudfoundry module (Metricbeat docs)

containerd/metrics

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Collects cpu, memory and blkio statistics about running containers controlled by containerd runtime.

Containerd module (Metricbeat docs)

docker/metrics

Fetches metrics from Docker containers.

Docker module (Metricbeat docs)

elasticsearch/metrics

Collects metrics about Elasticsearch.

Elasticsearch module (Metricbeat docs)

enterprisesearch/metrics

Periodically fetches metrics and health information from Elastic Enterprise Search instances using HTTP APIs.

Enterprise Search module (Metricbeat docs)

etcd/metrics

This module targets Etcd V2 and V3. When using V2, metrics are collected using Etcd v2 API. When using V3, metrics are retrieved from the /metrics` endpoint as intended for Etcd v3.

Etcd module (Metricbeat docs)

gcp/metrics

Periodically fetches monitoring metrics from Google Cloud Platform using Stackdriver Monitoring API for Google Cloud Platform services.

Google Cloud Platform module (Metricbeat docs)

haproxy/metrics

Collects stats from HAProxy. It supports collection from TCP sockets, UNIX sockets, or HTTP with or without basic authentication.

HAProxy module (Metricbeat docs)

http/metrics

Used to call arbitrary HTTP endpoints for which a dedicated Metricbeat module is not available.

HTTP module (Metricbeat docs)

iis/metrics

Periodically retrieve IIS web server related metrics.

IIS module (Metricbeat docs)

jolokia/metrics

Collects metrics from Jolokia agents running on a target JMX server or dedicated proxy server.

Jolokia module (Metricbeat docs)

kafka/metrics

Collects metrics from the Apache Kafka event streaming platform.

Kafka module (Metricbeat docs)

kibana/metrics

Collects metrics about {Kibana}.

Kibana module (Metricbeat docs)

kubernetes/metrics

As one of the main pieces provided for Kubernetes monitoring, this module is capable of fetching metrics from several components.

Kubernetes module (Metricbeat docs)

linux/metrics

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Reports on metrics exclusive to the Linux kernel and GNU/Linux OS.

Linux module (Metricbeat docs)

logstash/metrics

collects metrics about Logstash.

Logstash module (Metricbeat docs)

memcached/metrics

Collects metrics about the memcached memory object caching system.

Memcached module (Metricbeat docs)

mongodb/metrics

Periodically fetches metrics from MongoDB servers.

MongoDB module (Metricbeat docs)

mssql/metrics

The Microsoft SQL 2017 Metricbeat module. It is still under active development to add new Metricsets and introduce enhancements.

MSSQL module (Metricbeat docs)

mysql/metrics

Periodically fetches metrics from MySQL servers.

MySQL module (Metricbeat docs)

nats/metrics

Uses the Nats monitoring server APIs to collect metrics.

NATS module (Metricbeat docs)

nginx/metrics

Periodically fetches metrics from Nginx servers.

Nginx module (Metricbeat docs)

oracle/metrics

The Oracle module for Metricbeat. It is under active development with feedback from the community. A single Metricset for Tablespace monitoring is added so the community can start gathering metrics from their nodes and contributing to the module.

Oracle module (Metricbeat docs)

postgresql/metrics

Periodically fetches metrics from PostgreSQL servers.

PostgresSQL module (Metricbeat docs)

prometheus/metrics

Periodically scrapes metrics from Prometheus exporters.

Prometheus module (Metricbeat docs)

rabbitmq/metrics

Uses the HTTP API created by the management plugin to collect RabbitMQ metrics.

RabbitMQ module (Metricbeat docs)

redis/metrics

Periodically fetches metrics from Redis servers.

Redis module (Metricbeat docs)

sql/metrics

Allows you to execute custom queries against an SQL database and store the results in Elasticsearch.

SQL module (Metricbeat docs)

stan/metrics

Uses STAN monitoring server APIs to collect metrics.

Stan module (Metricbeat docs)

statsd/metrics

Spawns a UDP server and listens for metrics in StatsD compatible format.

Statsd module (Metricbeat docs)

syncgateway/metrics

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Monitor a Sync Gateway instance by using its REST API.

SyncGateway module (Metricbeat docs)

system/metrics

Allows you to monitor your server metrics, including CPU, load, memory, network, processes, sockets, filesystem, fsstat, uptime, and more.

System module (Metricbeat docs)

traefik/metrics

Periodically fetches metrics from a Traefik instance.

Traefik module (Metricbeat docs)

uwsgi/metrics

By default, collects the uWSGI stats metricset, using StatsServer.

uWSGI module (Metricbeat docs)

vsphere/metrics

Uses the Govmomi library to collect metrics from any Vmware SDK URL (ESXi/VCenter).

vSphere module (Metricbeat docs)

windows/metrics

Collects metrics from Windows systems.

Windows module (Metricbeat docs)

zookeeper/metrics

Fetches statistics from the ZooKeeper service.

ZooKeeper module (Metricbeat docs)

Forward and centralize log data
Input Description Learn more

aws-cloudwatch

Stores log files from Amazon Elastic Compute Cloud(EC2), AWS CloudTrail, Route53, and other sources.

AWS CloudWatch input (Filebeat docs)

aws-s3

Retrieves logs from S3 objects that are pointed to by S3 notification events read from an SQS queue or directly polling list of S3 objects in an S3 bucket.

AWS S3 input (Filebeat docs)

azure-blob-storage

Reads content from files stored in containers which reside on your Azure Cloud.

Azure Blob Storage (Filebeat docs)

azure-eventhub

Reads messages from an azure eventhub.

Azure eventhub input (Filebeat docs)

cel

Reads messages from a file path or HTTP API with a variety of payloads using the Common Expression Language (CEL) and the mito CEL extension libraries.

Common Expression Language input (Filebeat docs)

cloudfoundry

Gets HTTP access logs, container logs and error logs from Cloud Foundry.

Cloud Foundry input (Filebeat docs)

cometd

Streams the real-time events from a Salesforce generic subscription Push Topic.

CometD input (Filebeat docs)

container

Reads containers log files.

Container input (Filebeat docs)

docker

Alias for container.

-

log/docker

Alias for container.

n/a

entity-analytics

Collects identity assets, such as users, from external identity providers.

Entity Analytics input (Filebeat docs)

event/file

Alias for log.

n/a

event/tcp

Alias for tcp.

n/a

filestream

Reads lines from active log files. Replaces and imporoves on the log input.

filestream input (Filebeat docs)

gcp-pubsub

Reads messages from a Google Cloud Pub/Sub topic subscription.

GCP Pub/Sub input (Filebeat docs)

gcs

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Reads content from files stored in buckets which reside on your Google Cloud.

Google Cloud Storage input (Filebeat docs)

http_endpoint

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Initializes a listening HTTP server that collects incoming HTTP POST requests containing a JSON body.

HTTP Endpoint input (Filebeat docs)

httpjson

Read messages from an HTTP API with JSON payloads.

HTTP JSON input (Filebeat docs)

journald

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. A system service that collects and stores logging data.

Journald input (Filebeat docs)

kafka

Reads from topics in a Kafka cluster.

Kafka input (Filebeat docs)

log

DEPRECATED: Please use the filestream input instead.

n/a

logfile

Alias for log.

n/a

log/redis_slowlog

Alias for redis.

n/a

log/syslog

Alias for syslog.

n/a

mqtt

Reads data transmitted using lightweight messaging protocol for small and mobile devices, optimized for high-latency or unreliable networks.

MQTT input (Filebeat docs)

netflow

Reads NetFlow and IPFIX exported flows and options records over UDP.

NetFlow input (Filebeat docs)

o365audit

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Retrieves audit messages from Office 365 and Azure AD activity logs.

Office 365 Management Activity API input (Filebeat docs)

osquery

Collects and decodes the result logs written by osqueryd in the JSON format.

-

redis

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Reads entries from Redis slowlogs.

Redis input (Filebeat docs)

syslog

Reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket.

Syslog input (Filebeat docs)

tcp

Reads events over TCP.

TCP input (Filebeat docs)

udp

Reads events over UDP.

UDP input (Filebeat docs)

unix

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Reads events over a stream-oriented Unix domain socket.

Unix input (Filebeat docs)

winlog

Reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs (Elasticsearch or Logstash).

Winlogbeat Overview (Winlogbeat docs)

Monitor the status of your services
Input Description Learn more

synthetics/http

Connect via HTTP and optionally verify that the host returns the expected response.

HTTP options (Heartbeat docs)

synthetics/icmp

Use ICMP (v4 and v6) Echo Requests to check the configured hosts.

ICMP options (Heartbeat docs)

synthetics/tcp

Connect via TCP and optionally verify the endpoint by sending and/or receiving a custom payload.

TCP options (Heartbeat docs)

View network traffic between the servers of your network
Input Description Learn more

packet

Sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions.

Packetbeat overview (Packetbeat docs)