IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Event Hubs plugin Cloudwatch input plugin »

› ›

Beats input plugin

edit

Beats input plugin

edit

The input-elastic_agent plugin is the next generation of the input-beats plugin. They currently share code and a common codebase.

Plugin version: v6.4.0
Released on: 2022-04-28
Changelog

For other versions, see the Versioned plugin docs.

Getting Help

edit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

edit

This input plugin enables Logstash to receive events from the Beats framework.

The following example shows how to configure Logstash to listen on port 5044 for incoming Beats connections and to index into Elasticsearch.

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}" 
  }
}

%{[@metadata][beat]} sets the first part of the index name to the value of the metadata field and %{[@metadata][version]} sets the second part to the Beat version. For example: metricbeat-6.1.6.

Events indexed into Elasticsearch with the Logstash configuration shown here will be similar to events directly indexed by Beats into Elasticsearch.

If ILM is not being used, set index to %{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd} instead so Logstash creates an index per day, based on the @timestamp value of the events coming from Beats.

Multi-line events

edit

If you are shipping events that span multiple lines, you need to use the configuration options available in Filebeat to handle multiline events before sending the event data to Logstash. You cannot use the Multiline codec plugin to handle multiline events. Doing so will result in the failure to start Logstash.

Versioned indices

edit

To minimize the impact of future schema changes on your existing indices and mappings in Elasticsearch, configure the Elasticsearch output to write to versioned indices. The pattern that you specify for the index setting controls the index name:

index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"

%{[@metadata][beat]}: Sets the first part of the index name to the value of the beat metadata field, for example, filebeat.
%{[@metadata][version]}: Sets the second part of the name to the Beat version, for example, 8.3.3.
%{+YYYY.MM.dd}: Sets the third part of the name to a date based on the Logstash @timestamp field.

This configuration results in daily index names like filebeat-8.3.3-2024-11-04.

Event Metadata and the Elastic Common Schema (ECS)

edit

When decoding Beats events, this plugin adds two fields related to the event: the deprecated host which contains the hostname provided by Beats and the ip_address containing the remote address of the client’s connection. When ECS compatibility mode is enabled these are now moved in ECS compatible namespace. Here’s how ECS compatibility mode affects output.

ECS `disabled`	ECS `v1`, `v8`	Availability	Description
[host]	[@metadata][input][beats][host][name]	Always	Name or address of the Beat host
[@metadata][ip_address]	[@metadata][input][beats][host][ip]	Always	IP address of the Beats client
[@metadata][tls_peer][status]	[@metadata][tls_peer][status]	When SSL related fields are populated	Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`/`v8`
[@metadata][tls_peer][protocol]	[@metadata][input][beats][tls][version_protocol]	When SSL status is "verified"	Contains the TLS version used (e.g. `TLSv1.2`)
[@metadata][tls_peer][subject]	[@metadata][input][beats][tls][client][subject]	When SSL status is "verified"	Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
[@metadata][tls_peer][cipher_suite]	[@metadata][input][beats][tls][cipher]	When SSL status is "verified"	Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)

Beats input configuration options

edit

This plugin supports the following configuration options plus the Common Options described later.

Setting	Input type	Required
`add_hostname`	boolean	Deprecated
`cipher_suites`	array	Deprecated
`client_inactivity_timeout`	number	No
`ecs_compatibility`	string	No
`executor_threads`	number	No
`host`	string	No
`include_codec_tag`	boolean	No
`port`	number	Yes
`ssl`	boolean	No
`ssl_certificate`	a valid filesystem path	No
`ssl_certificate_authorities`	array	No
`ssl_handshake_timeout`	number	No
`ssl_key`	a valid filesystem path	No
`ssl_key_passphrase`	password	No
`ssl_peer_metadata`	boolean	No
`ssl_supported_protocols`	array	No
`ssl_verify_mode`	string, one of `["none", "peer", "force_peer"]`	No
`tls_max_version`	number	Deprecated
`tls_min_version`	number	Deprecated

Also see Common Options for a list of options supported by all input plugins.

`add_hostname`

edit

Deprecated in 6.0.0.

The default value has been changed to false. In 7.0.0 this setting will be removed

Value type is boolean
Default value is false

Flag to determine whether to add host field to event using the value supplied by the Beat in the hostname field.

`cipher_suites`

edit

Deprecated in 6.4.0.

Replaced by ssl_cipher_suites

Value type is array

The list of cipher suites to use, listed by priorities.

`client_inactivity_timeout`

edit

Value type is number
Default value is 60

Close Idle clients after X seconds of inactivity.

`ecs_compatibility`

edit

Value type is string
Supported values are:
- disabled: unstructured connection metadata added at root level
- v1: structured connection metadata added under ECS v1 compliant namespaces
- v8: structured connection metadata added under ECS v8 compliant namespaces
Default value depends on which version of Logstash is running:
- When Logstash provides a pipeline.ecs_compatibility setting, its value is used as the default
- Otherwise, the default value is disabled.

Refer to ECS mapping for detailed information.

`executor_threads`

edit

Value type is number
Default value is 1 executor thread per CPU core

The number of threads to be used to process incoming beats requests. By default the Beats input creates a number of threads equal to 2*CPU cores. These threads handle incoming connections, reading from established sockets, and executing most of the tasks related to network connection management. Parsing the Lumberjack protocol is offloaded to a dedicated thread pool.

Generally you don’t need to touch this setting. In case you are sending very large events and observing "OutOfDirectMemory" exceptions, you may want to reduce this number to half or 1/4 of the CPU cores. This change reduces the number of threads decompressing batches of data into direct memory. However, this will only be a mitigating tweak, as the proper solution may require resizing your Logstash deployment, either by increasing number of Logstash nodes or increasing the JVM’s Direct Memory.

`host`

edit

Value type is string
Default value is "0.0.0.0"

The IP address to listen on.

`include_codec_tag`

edit

Value type is boolean
Default value is true

`port`

edit

This is a required setting.
Value type is number
There is no default value for this setting.

The port to listen on.

`ssl`

edit

Value type is boolean
Default value is false

Events are by default sent in plain text. You can enable encryption by setting ssl to true and configuring the ssl_certificate and ssl_key options.

`ssl_certificate`

edit

Value type is path
There is no default value for this setting.

SSL certificate to use.

`ssl_certificate_authorities`

edit

Value type is array
Default value is []

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure the ssl_verify_mode to peer or force_peer to enable the verification.

`ssl_cipher_suites`

edit

Value type is array
Default value is ['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']

The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions.

`ssl_handshake_timeout`

edit

Value type is number
Default value is 10000

Time in milliseconds for an incomplete ssl handshake to timeout

`ssl_key`

edit

Value type is path
There is no default value for this setting.

SSL key to use. This key must be in the PKCS8 format and PEM encoded. You can use the openssl pkcs8 command to complete the conversion. For example, the command to convert a PEM encoded PKCS1 private key to a PEM encoded, non-encrypted PKCS8 key is:

openssl pkcs8 -inform PEM -in path/to/logstash.key -topk8 -nocrypt -outform PEM -out path/to/logstash.pkcs8.key

`ssl_key_passphrase`

edit

Value type is password
There is no default value for this setting.

SSL key passphrase to use.

`ssl_peer_metadata`

edit

Value type is boolean
Default value is false

Enables storing client certificate information in event’s metadata.

This option is only valid when ssl_verify_mode is set to peer or force_peer.

`ssl_supported_protocols`

edit

Value type is array
Allowed values are: 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
Default depends on the JDK being used. With up-to-date Logstash, the default is ['TLSv1.2', 'TLSv1.3']. 'TLSv1.1' is not considered secure and is only provided for legacy applications.

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8 'TLSv1.3' is supported only since 8u262 (AdoptOpenJDK), but requires that you set the LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

If you configure the plugin to use 'TLSv1.1' on any recent JVM, such as the one packaged with Logstash, the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms in the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1 needs to be removed from the list.

`ssl_verify_mode`

edit

Value can be any of: none, peer, force_peer
Default value is "none"

By default the server doesn’t do any client verification.

peer will make the server ask the client to provide a certificate. If the client provides a certificate, it will be validated.

force_peer will make the server ask the client to provide a certificate. If the client doesn’t provide a certificate, the connection will be closed.

This option needs to be used with ssl_certificate_authorities and a defined list of CAs.

`tls_max_version`

edit

Deprecated in 6.4.0.

Replaced by ssl_supported_protocols

Value type is number

The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3

`tls_min_version`

edit

Deprecated in 6.4.0.

Replaced by ssl_supported_protocols

Value type is number

The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLS 1.3

Common Options

edit

The following configuration options are supported by all input plugins:

Setting	Input type	Required
`add_field`	hash	No
`codec`	codec	No
`enable_metric`	boolean	No
`id`	string	No
`tags`	array	No
`type`	string	No

Details

edit

`add_field`

edit

Value type is hash
Default value is {}

Add a field to an event

`codec`

edit

Value type is codec
Default value is "plain"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

`enable_metric`

edit

Value type is boolean
Default value is true

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

`id`

edit

Value type is string
There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 beats inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {
  beats {
    id => "my_plugin_id"
  }
}

Variable substitution in the id field only supports environment variables and does not support the use of values from the secret store.

`tags`

edit

Value type is array
There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

`type`

edit

Value type is string
There is no default value for this setting.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.

The Beats shipper automatically sets the type field on the event. You cannot override this setting in the Logstash config. If you specify a setting for the type config option in Logstash, it is ignored.

« Azure Event Hubs plugin Cloudwatch input plugin »