The input-elastic_agent plugin is the next generation of the
input-beats plugin.
They currently share code and a common codebase.
- Plugin version: v6.2.0
- Released on: 2021-08-03
- Changelog
For other versions, see the Versioned plugin docs.
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
This input plugin enables Logstash to receive events from the Elastic Agent framework.
The following example shows how to configure Logstash to listen on port 5044 for incoming Elastic Agent connections and to index into Elasticsearch.
input {
elastic_agent {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
data_stream => "true"
}
}
Events indexed into Elasticsearch with the Logstash configuration shown here will be similar to events directly indexed by Elastic Agent into Elasticsearch.
When decoding Elastic Agent events, this plugin adds two fields related to the event:
the deprecated host which contains the hostname provided by Elastic Agent and the
ip_address containing the remote address of the client’s connection. When
ECS compatibility mode is enabled
these are now moved in ECS compatible namespace. Here’s how
ECS compatibility mode affects
output.
| ECS `disabled` | ECS `v1`, `v8` | Availability | Description |
|---|---|---|---|
[host] |
[@metadata][input][beats][host][name] |
Always |
Name or address of the Elastic Agent host |
[@metadata][ip_address] |
[@metadata][input][beats][host][ip] |
Always |
IP address of the Elastic Agent client |
[@metadata][tls_peer][status] |
[@metadata][tls_peer][status] |
When SSL related fields are populated |
Contains "verified"/"unverified" labels in |
[@metadata][tls_peer][protocol] |
[@metadata][input][beats][tls][version_protocol] |
When SSL status is "verified" |
Contains the TLS version used (e.g. |
[@metadata][tls_peer][subject] |
[@metadata][input][beats][tls][client][subject] |
When SSL status is "verified" |
Contains the identity name of the remote end (e.g. |
[@metadata][tls_peer][cipher_suite] |
[@metadata][input][beats][tls][cipher] |
When SSL status is "verified" |
Contains the name of cipher suite used (e.g. |
This plugin supports the following configuration options plus the Common Options described later.
| Setting | Input type | Required |
|---|---|---|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
Yes |
||
No |
||
a valid filesystem path |
No |
|
No |
||
No |
||
a valid filesystem path |
No |
|
No |
||
string, one of |
No |
|
No |
||
No |
||
No |
Also see Common Options for a list of options supported by all input plugins.
Deprecated in 6.0.0.
The default value has been changed to false. In 7.0.0 this setting will be removed
- Value type is boolean
-
Default value is
false
Flag to determine whether to add host field to event using the value supplied by the Elastic Agent in the hostname field.
- Value type is array
-
Default value is
java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca
The list of ciphers suite to use, listed by priorities.
- Value type is number
-
Default value is
60
Close Idle clients after X seconds of inactivity.
- Value type is string
-
Supported values are:
-
disabled: unstructured connection metadata added at root level -
v1: structured connection metadata added under ECS v1 compliant namespaces -
v8: structured connection metadata added under ECS v8 compliant namespaces
-
-
Default value depends on which version of Logstash is running:
-
When Logstash provides a
pipeline.ecs_compatibilitysetting, its value is used as the default -
Otherwise, the default value is
disabled.
-
When Logstash provides a
Refer to ECS mapping for detailed information.
- Value type is boolean
-
Default value is
true
- This is a required setting.
- Value type is number
- There is no default value for this setting.
The port to listen on.
- Value type is boolean
-
Default value is
false
Events are by default sent in plain text. You can
enable encryption by setting ssl to true and configuring
the ssl_certificate and ssl_key options.
- Value type is path
- There is no default value for this setting.
SSL certificate to use.
- Value type is array
-
Default value is
[]
Validate client certificates against these authorities.
You can define multiple files or paths. All the certificates will
be read and added to the trust store. You need to configure the ssl_verify_mode
to peer or force_peer to enable the verification.
- Value type is number
-
Default value is
10000
Time in milliseconds for an incomplete ssl handshake to timeout
- Value type is path
- There is no default value for this setting.
SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information.
- Value type is password
- There is no default value for this setting.
SSL key passphrase to use.
-
Value can be any of:
none,peer,force_peer -
Default value is
"none"
By default the server doesn’t do any client verification.
peer will make the server ask the client to provide a certificate.
If the client provides a certificate, it will be validated.
force_peer will make the server ask the client to provide a certificate.
If the client doesn’t provide a certificate, the connection will be closed.
This option needs to be used with ssl_certificate_authorities and a defined list of CAs.
- Value type is boolean
-
Default value is
false
Enables storing client certificate information in event’s metadata.
This option is only valid when ssl_verify_mode is set to peer or force_peer.
- Value type is number
-
Default value is
1.2
The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
- Value type is number
-
Default value is
1
The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
The following configuration options are supported by all input plugins:
- Value type is codec
-
Default value is
"plain"
The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.
- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
- Value type is string
- There is no default value for this setting.
Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type, for example, if you have 2 elastic_agent inputs.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
input {
elastic_agent {
id => "my_plugin_id"
}
}
Variable substitution in the id field only supports environment variables
and does not support the use of values from the secret store.
- Value type is array
- There is no default value for this setting.
Add any number of arbitrary tags to your event.
This can help with processing later.
- Value type is string
- There is no default value for this setting.
Add a type field to all events handled by this input.
Types are used mainly for filter activation.
The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.
If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.