├── .ansible-lint ├── .gitignore ├── molecule └── default │ ├── requirements.yml │ ├── molecule.yml │ └── converge.yml ├── handlers └── main.yml ├── .github ├── FUNDING.yml └── workflows │ ├── release.yml │ ├── ci.yml │ └── stale.yml ├── .yamllint ├── templates ├── beats.repo.j2 └── filebeat.yml.j2 ├── tasks ├── setup-RedHat.yml ├── main.yml ├── config.yml └── setup-Debian.yml ├── meta └── main.yml ├── LICENSE ├── defaults └── main.yml └── README.md /.ansible-lint: -------------------------------------------------------------------------------- 1 | skip_list: 2 | - 'yaml' 3 | - 'role-name' 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.retry 2 | */__pycache__ 3 | *.pyc 4 | .cache 5 | .venv 6 | -------------------------------------------------------------------------------- /molecule/default/requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - src: geerlingguy.java 3 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: restart filebeat 3 | service: name=filebeat state=restarted 4 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | --- 3 | github: geerlingguy 4 | patreon: geerlingguy 5 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | rules: 5 | line-length: 6 | max: 120 7 | level: warning 8 | 9 | ignore: | 10 | .github/workflows/stale.yml 11 | -------------------------------------------------------------------------------- /templates/beats.repo.j2: -------------------------------------------------------------------------------- 1 | [elastic-{{ filebeat_version }}] 2 | name=Elastic repository for {{ filebeat_version }} packages 3 | baseurl=https://artifacts.elastic.co/packages/{{ filebeat_version }}/yum 4 | gpgcheck=1 5 | gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch 6 | enabled=1 7 | autorefresh=1 8 | type=rpm-md 9 | -------------------------------------------------------------------------------- /tasks/setup-RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Add Elasticsearch GPG key. 3 | rpm_key: 4 | key: https://artifacts.elastic.co/GPG-KEY-elasticsearch 5 | state: present 6 | 7 | - name: Add Filebeat repository. 8 | template: 9 | src: beats.repo.j2 10 | dest: /etc/yum.repos.d/beats.repo 11 | mode: 0644 12 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include_tasks: setup-RedHat.yml 3 | when: ansible_facts.os_family == 'RedHat' 4 | 5 | - include_tasks: setup-Debian.yml 6 | when: ansible_facts.os_family == 'Debian' 7 | 8 | - name: Install Filebeat. 9 | package: 10 | name: "{{ filebeat_package }}" 11 | state: "{{ filebeat_package_state }}" 12 | 13 | - include_tasks: config.yml 14 | when: filebeat_create_config | bool 15 | 16 | - name: Ensure Filebeat is started and enabled at boot. 17 | service: 18 | name: filebeat 19 | state: started 20 | enabled: true 21 | -------------------------------------------------------------------------------- /molecule/default/molecule.yml: -------------------------------------------------------------------------------- 1 | --- 2 | role_name_check: 1 3 | dependency: 4 | name: galaxy 5 | options: 6 | ignore-errors: true 7 | driver: 8 | name: docker 9 | platforms: 10 | - name: instance 11 | image: "geerlingguy/docker-${MOLECULE_DISTRO:-rockylinux9}-ansible:latest" 12 | command: ${MOLECULE_DOCKER_COMMAND:-""} 13 | volumes: 14 | - /sys/fs/cgroup:/sys/fs/cgroup:rw 15 | cgroupns_mode: host 16 | privileged: true 17 | pre_build_image: true 18 | provisioner: 19 | name: ansible 20 | playbooks: 21 | converge: ${MOLECULE_PLAYBOOK:-converge.yml} 22 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | dependencies: [] 3 | 4 | galaxy_info: 5 | role_name: filebeat 6 | author: geerlingguy 7 | description: Filebeat for Linux. 8 | company: "Midwestern Mac, LLC" 9 | license: "license (BSD, MIT)" 10 | min_ansible_version: 2.10 11 | platforms: 12 | - name: Debian 13 | versions: 14 | - jessie 15 | - stretch 16 | - name: Ubuntu 17 | versions: 18 | - trusty 19 | - xenial 20 | - bionic 21 | galaxy_tags: 22 | - web 23 | - system 24 | - monitoring 25 | - elasticsearch 26 | - logging 27 | - filebeat 28 | -------------------------------------------------------------------------------- /molecule/default/converge.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Converge 3 | hosts: all 4 | # become: true 5 | 6 | pre_tasks: 7 | - name: Update apt cache. 8 | apt: update_cache=true cache_valid_time=600 9 | when: ansible_facts.os_family == 'Debian' 10 | 11 | - name: Install test dependencies (RedHat). 12 | dnf: 13 | name: 14 | - which 15 | - curl 16 | allowerasing: true 17 | state: present 18 | when: ansible_facts.os_family == 'RedHat' 19 | 20 | - name: Install test dependencies. 21 | package: name=curl state=present 22 | 23 | - name: Set the java_packages variable (Ubuntu). 24 | set_fact: 25 | java_packages: 26 | - openjdk-8-jdk 27 | when: ansible_facts.distribution == 'Ubuntu' 28 | 29 | roles: 30 | - role: geerlingguy.java 31 | - role: geerlingguy.filebeat 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2017 Jeff Geerling 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 21 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | filebeat_version: 7.x 3 | filebeat_package: filebeat 4 | filebeat_package_state: present 5 | 6 | filebeat_create_config: true 7 | filebeat_template: "filebeat.yml.j2" 8 | 9 | filebeat_inputs: 10 | - type: log 11 | paths: 12 | - "/var/log/*.log" 13 | 14 | filebeat_output_elasticsearch_enabled: false 15 | filebeat_output_elasticsearch_hosts: 16 | - "localhost:9200" 17 | 18 | filebeat_output_elasticsearch_auth: {} 19 | 20 | filebeat_output_logstash_enabled: true 21 | filebeat_output_logstash_hosts: 22 | - "localhost:5044" 23 | 24 | filebeat_enable_logging: false 25 | filebeat_log_level: warning 26 | filebeat_log_dir: /var/log/mybeat 27 | filebeat_log_filename: mybeat.log 28 | 29 | filebeat_ssl_certs_dir: /etc/pki/logstash 30 | filebeat_ssl_private_dir: "{{ filebeat_ssl_certs_dir }}" 31 | filebeat_ssl_ca_file: "" 32 | filebeat_ssl_certificate_file: "" 33 | filebeat_ssl_key_file: "" 34 | filebeat_ssl_copy_files: true 35 | filebeat_ssl_insecure: "false" 36 | 37 | filebeat_elastic_cloud_enabled: false 38 | filebeat_elastic_cloud_id: "" 39 | filebeat_elastic_cloud_username: "" 40 | filebeat_elastic_cloud_password: "" 41 | -------------------------------------------------------------------------------- /tasks/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Copy Filebeat configuration. 3 | template: 4 | src: "{{ filebeat_template }}" 5 | dest: "/etc/filebeat/filebeat.yml" 6 | owner: root 7 | group: root 8 | mode: 0644 9 | notify: restart filebeat 10 | 11 | - name: Ensure Filebeat SSL directories exist. 12 | file: 13 | path: "{{ item }}" 14 | state: directory 15 | mode: 0755 16 | loop: 17 | - "{{ filebeat_ssl_certs_dir }}" 18 | - "{{ filebeat_ssl_private_dir }}" 19 | when: filebeat_ssl_key_file | default('') | length > 0 20 | 21 | - name: Copy SSL key and cert for filebeat. 22 | copy: 23 | src: "{{ item.file }}" 24 | dest: "{{ item.dir }}/{{ item.file | basename }}" 25 | mode: 0644 26 | with_items: 27 | - dir: "{{ filebeat_ssl_private_dir }}" 28 | file: "{{ filebeat_ssl_key_file }}" 29 | - dir: "{{ filebeat_ssl_certs_dir }}" 30 | file: "{{ filebeat_ssl_certificate_file }}" 31 | notify: restart filebeat 32 | when: 33 | - filebeat_ssl_copy_files | bool 34 | - filebeat_ssl_key_file | default('') | length > 0 35 | - filebeat_ssl_certificate_file | default('') | length > 0 36 | 37 | # - name: Ensure filebeat can read system's private key 38 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # This workflow requires a GALAXY_API_KEY secret present in the GitHub 3 | # repository or organization. 4 | # 5 | # See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy 6 | # See: https://github.com/ansible/galaxy/issues/46 7 | 8 | name: Release 9 | 'on': 10 | push: 11 | tags: 12 | - '*' 13 | 14 | defaults: 15 | run: 16 | working-directory: 'geerlingguy.filebeat' 17 | 18 | jobs: 19 | 20 | release: 21 | name: Release 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Check out the codebase. 25 | uses: actions/checkout@v4 26 | with: 27 | path: 'geerlingguy.filebeat' 28 | 29 | - name: Set up Python 3. 30 | uses: actions/setup-python@v5 31 | with: 32 | python-version: '3.13' # Can't go to 3.14+ until Ansible 13.x 33 | 34 | - name: Install Ansible. 35 | run: pip3 install ansible-core 36 | 37 | - name: Trigger a new import on Galaxy. 38 | run: >- 39 | ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} 40 | $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2) 41 | -------------------------------------------------------------------------------- /tasks/setup-Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure apt key is not present in trusted.gpg.d 3 | ansible.builtin.file: 4 | path: /etc/apt/trusted.gpg.d/filebeat.asc 5 | state: absent 6 | 7 | - name: find all old apt source lists for filebeat 8 | ansible.builtin.find: 9 | paths: /etc/apt/sources.list.d/ 10 | patterns: 'artifacts_elastic_co_packages_*_apt.list' 11 | register: old_filebeat_apt_lists 12 | 13 | - name: Ensure old apt source list is not present in /etc/apt/sources.list.d 14 | ansible.builtin.file: 15 | path: "{{ item.path }}" 16 | state: absent 17 | loop: "{{ old_filebeat_apt_lists.files }}" 18 | 19 | - name: Ensure required dependencies are present. 20 | apt: 21 | name: 22 | - python3-debian 23 | - ca-certificates 24 | state: present 25 | 26 | - name: Add Filebeat repository. 27 | ansible.builtin.deb822_repository: 28 | name: elasticsearch 29 | types: [deb] 30 | uris: https://artifacts.elastic.co/packages/{{ filebeat_version }}/apt 31 | suites: [stable] 32 | components: [main] 33 | signed_by: https://artifacts.elastic.co/GPG-KEY-elasticsearch 34 | state: present 35 | 36 | - name: Update apt cache. 37 | ansible.builtin.apt: 38 | update_cache: true 39 | -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: CI 3 | 'on': 4 | pull_request: 5 | push: 6 | branches: 7 | - master 8 | schedule: 9 | - cron: "30 2 * * 1" 10 | 11 | defaults: 12 | run: 13 | working-directory: 'geerlingguy.filebeat' 14 | 15 | jobs: 16 | 17 | lint: 18 | name: Lint 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Check out the codebase. 22 | uses: actions/checkout@v4 23 | with: 24 | path: 'geerlingguy.filebeat' 25 | 26 | - name: Set up Python 3. 27 | uses: actions/setup-python@v5 28 | with: 29 | python-version: '3.13' # Can't go to 3.14+ until Ansible 13.x 30 | 31 | - name: Install test dependencies. 32 | run: pip3 install yamllint 33 | 34 | - name: Lint code. 35 | run: | 36 | yamllint . 37 | 38 | molecule: 39 | name: Molecule 40 | runs-on: ubuntu-latest 41 | strategy: 42 | matrix: 43 | distro: 44 | - rockylinux9 45 | - ubuntu2404 46 | - debian12 47 | 48 | steps: 49 | - name: Check out the codebase. 50 | uses: actions/checkout@v4 51 | with: 52 | path: 'geerlingguy.filebeat' 53 | 54 | - name: Set up Python 3. 55 | uses: actions/setup-python@v5 56 | with: 57 | python-version: '3.13' # Can't go to 3.14+ until Ansible 13.x 58 | 59 | - name: Install test dependencies. 60 | run: pip3 install ansible molecule molecule-plugins[docker] docker 61 | 62 | - name: Run Molecule tests. 63 | run: molecule test 64 | env: 65 | PY_COLORS: '1' 66 | ANSIBLE_FORCE_COLOR: '1' 67 | MOLECULE_DISTRO: ${{ matrix.distro }} 68 | -------------------------------------------------------------------------------- /.github/workflows/stale.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Close inactive issues 3 | 'on': 4 | schedule: 5 | - cron: "55 19 * * 0" # semi-random time 6 | 7 | jobs: 8 | close-issues: 9 | runs-on: ubuntu-latest 10 | permissions: 11 | issues: write 12 | pull-requests: write 13 | steps: 14 | - uses: actions/stale@v8 15 | with: 16 | days-before-stale: 120 17 | days-before-close: 60 18 | exempt-issue-labels: bug,pinned,security,planned 19 | exempt-pr-labels: bug,pinned,security,planned 20 | stale-issue-label: "stale" 21 | stale-pr-label: "stale" 22 | stale-issue-message: | 23 | This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! 24 | 25 | Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. 26 | close-issue-message: | 27 | This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. 28 | stale-pr-message: | 29 | This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! 30 | 31 | Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale. 32 | close-pr-message: | 33 | This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. 34 | repo-token: ${{ secrets.GITHUB_TOKEN }} 35 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible Role: Filebeat for ELK Stack 2 | 3 | [![CI](https://github.com/geerlingguy/ansible-role-filebeat/actions/workflows/ci.yml/badge.svg)](https://github.com/geerlingguy/ansible-role-filebeat/actions/workflows/ci.yml) 4 | 5 | An Ansible Role that installs [Filebeat](https://www.elastic.co/products/beats/filebeat) on RedHat/CentOS or Debian/Ubuntu. 6 | 7 | ## Requirements 8 | 9 | None. 10 | 11 | ## Role Variables 12 | 13 | Available variables are listed below, along with default values (see `defaults/main.yml`): 14 | 15 | filebeat_version: 7.x 16 | 17 | Controls the major version of Filebeat which is installed. 18 | 19 | filebeat_package: filebeat 20 | filebeat_package_state: present 21 | 22 | The specific package to be installed. You can specify a version of the package using the correct syntax for your platform and package manager by changing the package name. You can also control the package state (e.g. present, absent, or latest). 23 | 24 | filebeat_create_config: true 25 | 26 | Whether to create the Filebeat configuration file and handle the copying of SSL key and cert for filebeat. If you prefer to create a configuration file yourself you can set this to `false`. 27 | 28 | filebeat_inputs: 29 | - type: log 30 | paths: 31 | - "/var/log/*.log" 32 | 33 | Inputs that will be listed in the `inputs` section of the Filebeat configuration. Read through the [Filebeat Inputs configuration guide](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html) for more options. 34 | 35 | filebeat_output_elasticsearch_enabled: false 36 | filebeat_output_elasticsearch_hosts: 37 | - "localhost:9200" 38 | 39 | Whether to enable Elasticsearch output, and which hosts to send output to. 40 | 41 | filebeat_output_elasticsearch_auth: 42 | username: "admin" 43 | password: "S3CR3eeet" 44 | 45 | # or, only for version 8+ 46 | filebeat_output_elasticsearch_auth: 47 | api_key: "xa-123a-f3ea012d-aaae1" 48 | 49 | Configures the authentication for the elasticsearch output. Note that api_key and user/pass are mutually exclusive, and api_key is only available from version 8. 50 | 51 | filebeat_output_logstash_enabled: true 52 | filebeat_output_logstash_hosts: 53 | - "localhost:5000" 54 | 55 | Whether to enable Logstash output, and which hosts to send output to. 56 | 57 | filebeat_enable_logging: false 58 | filebeat_log_level: warning 59 | filebeat_log_dir: /var/log/filebeat 60 | filebeat_log_filename: filebeat.log 61 | 62 | Filebeat logging. 63 | 64 | filebeat_ssl_certs_dir: /etc/pki/logstash 65 | filebeat_ssl_private_dir: "{{ filebeat_ssl_certs_dir }}" 66 | 67 | The path where certificates and keyfiles will be stored. 68 | 69 | filebeat_ssl_ca_file: "" 70 | filebeat_ssl_certificate_file: "" 71 | filebeat_ssl_key_file: "" 72 | 73 | Local paths to the SSL certificate and key files. 74 | 75 | filebeat_ssl_copy_file: true 76 | 77 | Wether to copy certificate and key into the `filebeat_ssl_dir`, or use existing ones. 78 | 79 | For utmost security, you should use your own valid certificate and keyfile, and update the `filebeat_ssl_*` variables in your playbook to use your certificate. 80 | 81 | To generate a self-signed certificate/key pair, you can use use the command: 82 | 83 | $ sudo openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout filebeat.key -out filebeat.crt 84 | 85 | Note that filebeat and logstash may not work correctly with self-signed certificates unless you also have the full chain of trust (including the Certificate Authority for your self-signed cert) added on your server. See: https://github.com/elastic/logstash/issues/4926#issuecomment-203936891 86 | 87 | filebeat_ssl_insecure: "false" 88 | 89 | Set this to `"true"` to allow the use of self-signed certificates (when a CA isn't available). 90 | 91 | filebeat_name: "" 92 | 93 | Sets the name of the filebeat. If not set the hostname is used. 94 | 95 | ### Overriding the filebeat template 96 | 97 | If you can't customize via variables because an option isn't exposed, you can override the template used to generate the filebeat configuration. 98 | 99 | filebeat_template: "filebeat.yml.j2" 100 | 101 | You can either copy and modify the provided template, or you can, for example, point to a template file in your playbook directory that will be used instead of the managed template. 102 | 103 | filebeat_template: "{{ playbook_dir }}/templates/filebeat.yml.j2" 104 | 105 | ## Dependencies 106 | 107 | None. 108 | 109 | ## Example Playbook 110 | 111 | - hosts: logs 112 | 113 | - name: Set the java_packages variable (Debian/Ubuntu). 114 | set_fact: 115 | java_packages: 116 | - openjdk-8-jdk 117 | when: ansible_facts.os_family == 'Debian' 118 | 119 | roles: 120 | - geerlingguy.java 121 | - geerlingguy.elasticsearch 122 | - geerlingguy.logstash 123 | - geerlingguy.filebeat 124 | 125 | ## License 126 | 127 | MIT / BSD 128 | 129 | ## Author Information 130 | 131 | This role was created in 2016 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). 132 | -------------------------------------------------------------------------------- /templates/filebeat.yml.j2: -------------------------------------------------------------------------------- 1 | {% if filebeat_name is defined and filebeat_name != "" %} 2 | name: {{ filebeat_name }} 3 | 4 | {% endif %} 5 | filebeat: 6 | # List of inputs. 7 | inputs: 8 | {{ filebeat_inputs | to_json }} 9 | 10 | # Configure what outputs to use when sending the data collected by the beat. 11 | # Multiple outputs may be used. 12 | output: 13 | 14 | {% if filebeat_output_elasticsearch_enabled %} 15 | ### Elasticsearch as output 16 | elasticsearch: 17 | # Array of hosts to connect to. 18 | hosts: {{ filebeat_output_elasticsearch_hosts | to_json }} 19 | 20 | # Optional auth via API Key or username/password. 21 | # The options are mutually exclusive and api_key takes the precedence. 22 | {% if 'api_key' in filebeat_output_elasticsearch_auth -%} 23 | api_key: "{{ filebeat_output_elasticsearch_auth.api_key }}" 24 | {% elif 'username' in filebeat_output_elasticsearch_auth -%} 25 | username: "{{ filebeat_output_elasticsearch_auth.username }}" 26 | password: "{{ filebeat_output_elasticsearch_auth.password }}" 27 | {% endif %} 28 | 29 | # Number of workers per Elasticsearch host. 30 | #worker: 1 31 | 32 | # Optional index name. The default is "filebeat" and generates 33 | # [filebeat-]YYYY.MM.DD keys. 34 | #index: "filebeat" 35 | 36 | # Optional HTTP Path 37 | #path: "/elasticsearch" 38 | 39 | # Proxy server URL 40 | # proxy_url: http://proxy:3128 41 | 42 | # The number of times a particular Elasticsearch index operation is attempted. If 43 | # the indexing operation doesn't succeed after this many retries, the events are 44 | # dropped. The default is 3. 45 | #max_retries: 3 46 | 47 | # The maximum number of events to bulk in a single Elasticsearch bulk API index request. 48 | # The default is 50. 49 | #bulk_max_size: 50 50 | 51 | # Configure http request timeout before failing an request to Elasticsearch. 52 | #timeout: 90 53 | 54 | # The number of seconds to wait for new events between two bulk API index requests. 55 | # If `bulk_max_size` is reached before this interval expires, addition bulk index 56 | # requests are made. 57 | #flush_interval: 1 58 | 59 | # Boolean that sets if the topology is kept in Elasticsearch. The default is 60 | # false. This option makes sense only for Packetbeat. 61 | #save_topology: false 62 | 63 | # The time to live in seconds for the topology information that is stored in 64 | # Elasticsearch. The default is 15 seconds. 65 | #topology_expire: 15 66 | 67 | {% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %} 68 | # ssl configuration. By default is off. 69 | ssl: 70 | # List of root certificates for HTTPS server verifications 71 | certificate_authorities: ["{{ filebeat_ssl_certs_dir }}/{{ filebeat_ssl_ca_file | basename }}"] 72 | 73 | # Certificate for TLS client authentication 74 | certificate: "{{ filebeat_ssl_certs_dir }}/{{ filebeat_ssl_certificate_file | basename }}" 75 | 76 | # Client Certificate Key 77 | key: "{{ filebeat_ssl_private_dir }}/{{ filebeat_ssl_key_file | basename}}" 78 | 79 | # Controls whether the client verifies server certificates and host name. 80 | # If insecure is set to true, all server host names and certificates will be 81 | # accepted. In this mode TLS based connections are susceptible to 82 | # man-in-the-middle attacks. Use only for testing. 83 | insecure: {{ filebeat_ssl_insecure }} 84 | 85 | # Configure cipher suites to be used for TLS connections 86 | #cipher_suites: [] 87 | 88 | # Configure curve types for ECDHE based cipher suites 89 | #curve_types: [] 90 | 91 | # Configure minimum TLS version allowed for connection to logstash 92 | #min_version: 1.0 93 | 94 | # Configure maximum TLS version allowed for connection to logstash 95 | #max_version: 1.2 96 | {% endif %} 97 | {% endif %} 98 | 99 | {% if filebeat_output_logstash_enabled %} 100 | ### Logstash as output 101 | logstash: 102 | # The Logstash hosts 103 | hosts: {{ filebeat_output_logstash_hosts | to_json }} 104 | 105 | # Number of workers per Logstash host. 106 | #worker: 1 107 | 108 | # Optional load balance the events between the Logstash hosts 109 | #loadbalance: true 110 | 111 | # Optional index name. The default index name depends on the each beat. 112 | # For Packetbeat, the default is set to packetbeat, for Topbeat 113 | # top topbeat and for Filebeat to filebeat. 114 | #index: filebeat 115 | 116 | {% if filebeat_ssl_certificate_file and filebeat_ssl_key_file %} 117 | # ssl configuration. By default is off. 118 | ssl: 119 | # List of root certificates for HTTPS server verifications 120 | certificate_authorities: ["{{ filebeat_ssl_certs_dir }}/{{ filebeat_ssl_ca_file | basename }}"] 121 | 122 | # Certificate for TLS client authentication 123 | certificate: "{{ filebeat_ssl_certs_dir }}/{{ filebeat_ssl_certificate_file | basename }}" 124 | 125 | # Client Certificate Key 126 | key: "{{ filebeat_ssl_private_dir }}/{{ filebeat_ssl_key_file | basename}}" 127 | 128 | # Controls whether the client verifies server certificates and host name. 129 | # If insecure is set to true, all server host names and certificates will be 130 | # accepted. In this mode TLS based connections are susceptible to 131 | # man-in-the-middle attacks. Use only for testing. 132 | insecure: {{ filebeat_ssl_insecure }} 133 | 134 | # Configure cipher suites to be used for TLS connections 135 | #cipher_suites: [] 136 | 137 | # Configure curve types for ECDHE based cipher suites 138 | #curve_types: [] 139 | {% endif %} 140 | {% endif %} 141 | 142 | {% if filebeat_enable_logging %} 143 | logging: 144 | ### Filebeat log 145 | level: {{ filebeat_log_level }} 146 | 147 | # Enable file rotation with default configuration 148 | to_files: true 149 | 150 | # Do not log to syslog 151 | to_syslog: false 152 | 153 | files: 154 | path: {{ filebeat_log_dir }} 155 | name: {{ filebeat_log_filename }} 156 | keepfiles: 7 157 | {% endif %} 158 | 159 | {% if filebeat_elastic_cloud_enabled %} 160 | # =============================== Elastic Cloud ================================ 161 | # The cloud.id setting overwrites the `output.elasticsearch.hosts` and 162 | # `setup.kibana.host` options. 163 | # You can find the `cloud.id` in the Elastic Cloud web UI. 164 | cloud.id: {{ filebeat_elastic_cloud_id }} 165 | 166 | # The cloud.auth setting overwrites the `output.elasticsearch.username` and 167 | # `output.elasticsearch.password` settings. The format is `:`. 168 | cloud.auth: {{ filebeat_elastic_cloud_username }}:{{ filebeat_elastic_cloud_password }} 169 | {% endif %} 170 | --------------------------------------------------------------------------------