Beats input plugin

This plugin uses "off-heap" direct memory in addition to heap memory. By default, a JVM’s off-heap direct memory limit is the same as the heap size. For example, setting -Xmx10G without setting the direct memory limit will allocate 10GB for heap and an additional 10GB for direct memory, for a total of 20GB allocated. You can set the amount of direct memory with -XX:MaxDirectMemorySize in Logstash JVM Settings. Consider setting direct memory to half of the heap size. Setting direct memory too low decreases the performance of ingestion.

If you are shipping events that span multiple lines, you need to use the configuration options available in Filebeat to handle multiline events before sending the event data to Logstash. You cannot use the Multiline codec plugin to handle multiline events. Doing so will result in the failure to start Logstash.

Flag to determine whether to add host field to event using the value supplied by the Beat in the hostname field.

The list of cipher suites to use, listed by priorities.

Close Idle clients after X seconds of inactivity.

Refer to ECS mapping for detailed information.

Example:

This configuration disables all enrichments:

input {
  beats {
    port => 5044
    enrich => none
  }
}

Or, to explicitly enable only source_metadata and ssl_peer_metadata (disabling all others):

input {
  beats {
    port => 5044
    enrich => [source_metadata, ssl_peer_metadata]
  }
}

When setting 0, the actual default is available_processors * 2

This is an expert-level setting, and generally should not need to be set Beats plugin is implemented based on a non-blocking mechanism, requiring a number of event loop and executor threads. The event loop threads are responsible to communicate with clients (accept incoming connections, enqueue/dequeue tasks and respond) and executor threads handle tasks. This configuration intends to limit or increase the number of threads to be created for the event loop. See executor_threads configuration if you need to set executor threads count.

The number of threads to be used to process incoming Beats requests. By default, the Beats input creates a number of threads equal to the number of CPU cores. These threads handle incoming connections, reading from established sockets, and executing most of the tasks related to network connection management. Parsing the Lumberjack protocol is offloaded to a dedicated thread pool.

Generally you don’t need to touch this setting. In case you are sending very large events and observing "OutOfDirectMemory" exceptions, you may want to reduce this number to half or 1/4 of the CPU cores. This change reduces the number of threads decompressing batches of data into direct memory. However, this will only be a mitigating tweak, as the proper solution may require resizing your Logstash deployment, either by increasing number of Logstash nodes or increasing the JVM’s Direct Memory.

The IP address to listen on.

The port to listen on.

Events are by default sent in plain text. You can enable encryption by setting ssl to true and configuring the ssl_certificate and ssl_key options.

SSL certificate to use.

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure the ssl_client_authentication to optional or required to enable the verification.

The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions.

Controls the server’s behavior in regard to requesting a certificate from client connections: required forces a client to present a certificate, while optional requests a client certificate but the client is not required to present one. Defaults to none, which disables the client authentication.

When mutual TLS is enabled (required or optional), the certificate presented by the client must be signed by trusted ssl_certificate_authorities (CAs). Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name).

Events are by default sent in plain text. You can enable encryption by setting ssl_enabled to true and configuring the ssl_certificate and ssl_key options.

Time in milliseconds for an incomplete ssl handshake to timeout

SSL key to use. This key must be in the PKCS8 format and PEM encoded. You can use the openssl pkcs8 command to complete the conversion. For example, the command to convert a PEM encoded PKCS1 private key to a PEM encoded, non-encrypted PKCS8 key is:

openssl pkcs8 -inform PEM -in path/to/logstash.key -topk8 -nocrypt -outform PEM -out path/to/logstash.pkcs8.key

SSL key passphrase to use.

Enables storing client certificate information in event’s metadata.

This option is only valid when ssl_client_authentication is set to optional or required.

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8 'TLSv1.3' is supported only since 8u262 (AdoptOpenJDK), but requires that you set the LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

By default, the server doesn’t do any client verification. If the ssl_certificate_authorities is configured, and no value or none is provided for this option, it defaults to force_peer instead of none.

peer will make the server ask the client to provide a certificate. If the client provides a certificate, it will be validated.

force_peer will make the server ask the client to provide a certificate. If the client doesn’t provide a certificate, the connection will be closed.

When mutual TLS is enabled (peer or force_peer), the certificate presented by the client must be signed by trusted ssl_certificate_authorities (CAs). Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name).

The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3

The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3

Add a field to an event

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 beats inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {
  beats {
    id => "my_plugin_id"
  }
}

Add any number of arbitrary tags to your event.

This can help with processing later.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.