-
Notifications
You must be signed in to change notification settings - Fork 5k
Expand file tree
/
Copy pathfilebeat.inputs.reference.yml.tmpl
More file actions
904 lines (683 loc) · 34.3 KB
/
Copy pathfilebeat.inputs.reference.yml.tmpl
File metadata and controls
904 lines (683 loc) · 34.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
#=========================== Filebeat inputs =============================
# List of inputs to fetch data.
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
# Type of the files. Based on this the way the file is read is decided.
# The different types cannot be mixed in one input
#
# Possible options are:
# * filestream: Reads every line of the log file
# * log: Reads every line of the log file (deprecated)
# * stdin: Reads the standard in
#------------------------------ Log input --------------------------------
- type: log
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
# To fetch all ".log" files from a specific level of subdirectories
# /var/log/*/*.log can be used.
# For each file found under this path, a harvester is started.
# Make sure no file is defined twice as this can lead to unexpected behaviour.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
# Configure the file encoding for reading files with international characters
# following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
# Some sample encodings:
# plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
# hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
#encoding: plain
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list. The include_lines is called before
# exclude_lines. By default, no lines are dropped.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list. The include_lines is called before
# exclude_lines. By default, all the lines are exported.
#include_lines: ['^ERR', '^WARN']
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#exclude_files: ['.gz$']
# Method to determine if two files are the same or not. By default
# the Beat considers two files the same if their inode and device id are the same.
#file_identity.native: ~
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
# Set to true to store the additional fields as top-level fields instead
# of under the "fields" sub-dictionary. In case of name conflicts with the
# fields added by Filebeat itself, the custom fields overwrite the default
# fields.
#fields_under_root: false
# Set to true to publish fields with null values in events.
#keep_null: false
# By default, all events contain `host.name`. This option can be set to true
# to disable the addition of this field to all events. The default value is
# false.
#publisher_pipeline.disable_host: false
# Ignore files that were modified more than the defined timespan in the past.
# ignore_older is disabled by default, so no files are ignored by setting it to 0.
# Time strings like 2h (2 hours), 5m (5 minutes) can be used.
#ignore_older: 0
# How often the input checks for new files in the paths that are specified
# for harvesting. Specify 1s to scan the directory as frequently as possible
# without causing Filebeat to scan too frequently. Default: 10s.
#scan_frequency: 10s
# Defines the buffer size every harvester uses when fetching the file
#harvester_buffer_size: 16384
# Maximum number of bytes a single log event can have
# All bytes after max_bytes are discarded and not sent. The default is 10MB.
# This is especially useful for multiline log messages which can get large.
#max_bytes: 10485760
# Characters that separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
# carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
# null_terminator
#line_terminator: auto
### Recursive glob configuration
# Expand "**" patterns into regular glob patterns.
#recursive_glob.enabled: true
### JSON configuration
# Decode JSON options. Enable this if your logs are structured in JSON.
# JSON key on which to apply the line filtering and multiline settings. This key
# must be top level and its value must be string, otherwise it is ignored. If
# no text key is defined, the line filtering and multiline features cannot be used.
#json.message_key:
# By default, the decoded JSON is placed under a "json" key in the output document.
# If you enable this setting, the keys are copied top level in the output document.
#json.keys_under_root: false
# If keys_under_root and this setting are enabled, then the values from the decoded
# JSON object overwrites the fields that Filebeat normally adds (type, source, offset, etc.)
# in case of conflicts.
#json.overwrite_keys: false
# If this setting is enabled, then keys in the decoded JSON object will be recursively
# de-dotted, and expanded into a hierarchical object structure.
# For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
#json.expand_keys: false
# If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON
# unmarshaling errors or when a text key is defined in the configuration but cannot
# be used.
#json.add_error_key: false
### Multiline options
# Multiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
#multiline.pattern: ^\[
# Defines if the pattern set under the pattern should be negated or not. Default is false.
#multiline.negate: false
# Match can be set to "after" or "before". It is used to define if lines should be appended to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to to next in Logstash
#multiline.match: after
# The maximum number of lines that are combined into one event.
# In case there are more the max_lines the additional lines are discarded.
# Default is 500
#multiline.max_lines: 500
# After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event
# Default is 5s.
#multiline.timeout: 5s
# To aggregate constant number of lines into a single event use the count mode of multiline.
#multiline.type: count
# The number of lines to aggregate into a single event.
#multiline.count_lines: 3
# Do not add new line characters when concatenating lines.
#multiline.skip_newline: false
# Setting tail_files to true means filebeat starts reading new files at the end
# instead of the beginning. If this is used in combination with log rotation
# this can mean that the first entries of a new file are skipped.
#tail_files: false
# The ingest pipeline ID associated with this input. If this is set, it
# overwrites the pipeline option from the Elasticsearch output.
#pipeline:
# If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the
# original for harvesting but will report the symlink name as the source.
#symlinks: false
# Backoff values define how aggressively filebeat crawls new files for updates
# The default values can be used in most cases. Backoff defines how long it has to wait
# to check a file again after EOF is reached. Default is 1s which means the file
# is checked every second if new lines were added. This leads to a near real-time crawling.
# Every time a new line appears, backoff is reset to the initial value.
#backoff: 1s
# Max backoff defines what the maximum backoff time is. After having backed off multiple times
# from checking the files, the waiting time will never exceed max_backoff independent of the
# backoff factor. Having it set to 10s means in the worst case a new line can be added to a log
# file after having backed off multiple times, it takes a maximum of 10s to read the new line
#max_backoff: 10s
# The backoff factor defines how fast the algorithm backs off. The bigger the backoff factor,
# the faster the max_backoff value is reached. If this value is set to 1, no backoff will happen.
# The backoff value will be multiplied each time with the backoff_factor until max_backoff is reached
#backoff_factor: 2
# Max number of harvesters that are started in parallel.
# Default is 0 which means unlimited
#harvester_limit: 0
### Harvester closing options
# Close inactive closes the file handler after the predefined period.
# The period starts when the last line of the file was, not the file ModTime.
# Time strings like 2h (2 hours), and 5m (5 minutes) can be used.
#close_inactive: 5m
# Close renamed closes a file handler when the file is renamed or rotated.
# Note: Potential data loss. Make sure to read and understand the docs for this option.
#close_renamed: false
# When enabling this option, a file handler is closed immediately in case a file can't be found
# any more. In case the file shows up again later, harvesting will continue at the last known position
# after scan_frequency.
#close_removed: true
# Closes the file handler as soon as the harvesters reach the end of the file.
# By default this option is disabled.
# Note: Potential data loss. Make sure to read and understand the docs for this option.
#close_eof: false
### State options
# Files for the modification data are older than clean_inactive the state from the registry is removed
# By default this is disabled.
#clean_inactive: 0
# Removes the state for files which cannot be found on disk anymore immediately
#clean_removed: true
# Close timeout closes the harvester after the predefined time.
# This is independent if the harvester did finish reading the file or not.
# By default this option is disabled.
# Note: Potential data loss. Make sure to read and understand the docs for this option.
#close_timeout: 0
# Defines if inputs are enabled
#enabled: true
#--------------------------- Filestream input ----------------------------
- type: filestream
# Unique ID among all inputs, an ID is required.
id: my-filestream-id
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
# To fetch all ".log" files from a specific level of subdirectories
# /var/log/*/*.log can be used.
# For each file found under this path, a harvester is started.
# Make sure no file is defined twice as this can lead to unexpected behaviour.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
# Configure the file encoding for reading files with international characters
# following the W3C recommendation for HTML5 (http://www.w3.org/TR/encoding).
# Some sample encodings:
# plain, utf-8, utf-16be-bom, utf-16be, utf-16le, big5, gb18030, gbk,
# hz-gb-2312, euc-kr, euc-jp, iso-2022-jp, shift-jis, ...
#encoding: plain
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list. The include_lines is called before
# exclude_lines. By default, no lines are dropped.
# Line filtering happens after the parsers pipeline. If you would like to filter lines
# before parsers, use include_message parser.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list. The include_lines is called before
# exclude_lines. By default, all the lines are exported.
# Line filtering happens after the parsers pipeline. If you would like to filter lines
# before parsers, use include_message parser.
#include_lines: ['^ERR', '^WARN']
### Prospector options
# How often the input checks for new files in the paths that are specified
# for harvesting. Specify 1s to scan the directory as frequently as possible
# without causing Filebeat to scan too frequently. Default: 10s.
#prospector.scanner.check_interval: 10s
# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#prospector.scanner.exclude_files: ['.gz$']
# Include files. A list of regular expressions to match. Filebeat keeps only the files that
# are matching any regular expression from the list. By default, no files are dropped.
#prospector.scanner.include_files: ['/var/log/.*']
# Expand "**" patterns into regular glob patterns.
#prospector.scanner.recursive_glob: true
# If symlinks is enabled, symlinks are opened and harvested. The harvester is opening the
# original for harvesting but will report the symlink name as the source.
#prospector.scanner.symlinks: false
# If enabled, instead of relying on the device ID and inode values when comparing files,
# compare hashes of the given byte ranges in files. A file becomes an ingest target
# when its size grows larger than offset+length (see below). Until then it's ignored.
#prospector.scanner.fingerprint.enabled: true
# If fingerprint mode is enabled, sets the offset from the beginning of the file
# for the byte range used for computing the fingerprint value.
#prospector.scanner.fingerprint.offset: 0
# If fingerprint mode is enabled, sets the length of the byte range used for
# computing the fingerprint value. Cannot be less than 64 bytes.
#prospector.scanner.fingerprint.length: 1024
### Parsers configuration
#### JSON configuration
#parsers:
#- ndjson:
# Decode JSON options. Enable this if your logs are structured in JSON.
# JSON key on which to apply the line filtering and multiline settings. This key
# must be top level and its value must be a string, otherwise it is ignored. If
# no text key is defined, the line filtering and multiline features cannot be used.
#message_key:
# By default, the decoded JSON is placed under a "json" key in the output document.
# If you enable this setting, the keys are copied to the top level of the output document.
#keys_under_root: false
# If keys_under_root and this setting are enabled, then the values from the decoded
# JSON object overwrite the fields that Filebeat normally adds (type, source, offset, etc.)
# in case of conflicts.
#overwrite_keys: false
# If this setting is enabled, then keys in the decoded JSON object will be recursively
# de-dotted, and expanded into a hierarchical object structure.
# For example, `{"a.b.c": 123}` would be expanded into `{"a":{"b":{"c":123}}}`.
#expand_keys: false
# If this setting is enabled, Filebeat adds an "error.message" and "error.key: json" key in case of JSON
# unmarshaling errors or when a text key is defined in the configuration but cannot
# be used.
#add_error_key: false
#### Filtering messages
# You can filter messages in the parsers pipeline. Use this method if you would like to
# include or exclude lines before they are aggregated into multiline or the JSON contents
# are parsed.
#parsers:
#- include_message.patterns:
#- ["WARN", "ERR"]
#### Multiline options
# Multiline can be used for log messages spanning multiple lines. This is common
# for Java Stack Traces or C-Line Continuation
#parsers:
#- multiline:
#type: pattern
# The regexp Pattern that has to be matched. The example pattern matches all lines starting with [
#pattern: ^\[
# Defines if the pattern set under the pattern setting should be negated or not. Default is false.
#negate: false
# Match can be set to "after" or "before". It is used to define if lines should be appended to a pattern
# that was (not) matched before or after or as long as a pattern is not matched based on negate.
# Note: After is the equivalent to previous and before is the equivalent to next in Logstash
#match: after
# The maximum number of lines that are combined into one event.
# In case there are more than max_lines the additional lines are discarded.
# Default is 500
#max_lines: 500
# After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event
# Default is 5s.
#timeout: 5s
# Do not add new line character when concatenating lines.
#skip_newline: false
# To aggregate constant number of lines into a single event use the count mode of multiline.
#parsers:
#- multiline:
#type: count
# The number of lines to aggregate into a single event.
#count_lines: 3
# The maximum number of lines that are combined into one event.
# In case there are more than max_lines the additional lines are discarded.
# Default is 500
#max_lines: 500
# After the defined timeout, a multiline event is sent even if no new pattern was found to start a new event
# Default is 5s.
#timeout: 5s
# Do not add new line characters when concatenating lines.
#skip_newline: false
#### Parsing container events
# You can parse container events with different formats from all streams.
#parsers:
#- container:
# Source of container events. Available options: all, stdin, stderr.
#stream: all
# Format of the container events. Available options: auto, cri, docker, json-file
#format: auto
### Log rotation
# When an external tool rotates the input files with copytruncate strategy
# use this section to help the input find the rotated files.
#rotation.external.strategy.copytruncate:
# Regex that matches the rotated files.
# suffix_regex: \.\d$
# If the rotated filename suffix is a datetime, set it here.
# dateformat: -20060102
### State options
# Files for the modification data is older than clean_inactive the state from the registry is removed
# By default this is disabled.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#clean_inactive: -1
# Enable this to disable all checks regarding clean_inactive and re-ingest
# all data when clean_inactive: 0, effectively keeping the
# old behaviour.
#legacy_clean_inactive: false
# Removes the state for files which cannot be found on disk anymore immediately
#clean_removed: true
# Method to determine if two files are the same or not. By default
# a fingerprint is generated using the first 1024 bytes of the file,
# if the fingerprints match, then the files are considered equal.
#file_identity.fingerprint: ~
# Include file owner name and group name in the event metadata. This option is not currently supported on Windows.
#include_file_owner_name: false
#include_file_owner_group_name: false
# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
# Set to true to publish fields with null values in events.
#keep_null: false
# By default, all events contain `host.name`. This option can be set to true
# to disable the addition of this field to all events. The default value is
# false.
#publisher_pipeline.disable_host: false
# Ignore files that were modified more than the defined timespan in the past.
# ignore_older is disabled by default, so no files are ignored by setting it to 0.
# Time strings like 2h (2 hours) and 5m (5 minutes) can be used.
#ignore_older: 0
# Ignore files that have not been updated since the selected event.
# ignore_inactive is disabled by default, so no files are ignored by setting it to "".
# Available options: since_first_start, since_last_start.
#ignore_inactive: ""
# When `take_over.enabled` is set to `true` this `filestream` input
# will take over files from `log` or `filestream` (need to set `from_ids`) inputs.
# Taking over states of active `log` or `filestream` inputs is not
# supported and will lead to inconsistent data ingestion (data
# duplication or data loss).
# This functionality is still in beta.
#take_over:
# enabled: true
# If `from_ids` is set, then the files are taken over
# from `filestream` inputs that were assigned these IDs.
# Taking over from `log` inputs is disabled when `from_ids` is set.
# from_ids: ["foo", "bar"]
# Defines the buffer size every harvester uses when fetching the file
#harvester_buffer_size: 16384
# Maximum number of bytes a single log event can have
# All bytes after max_bytes are discarded and not sent. The default is 10MB.
# This is especially useful for multiline log messages which can get large.
#message_max_bytes: 10485760
# Characters that separate the lines. Valid values: auto, line_feed, vertical_tab, form_feed,
# carriage_return, carriage_return_line_feed, next_line, line_separator, paragraph_separator,
# null_terminator
#line_terminator: auto
# The ingest pipeline ID associated with this input. If this is set, it
# overwrites the pipeline option from the Elasticsearch output.
#pipeline:
# Backoff values define how aggressively filebeat crawls new files for updates
# The default values can be used in most cases. Backoff defines how long it has to wait
# to check a file again after EOF is reached. Default is 1s which means the file
# is checked every second if new lines were added. This leads to a near real-time crawling.
# Every time a new line appears, backoff is reset to the initial value.
#backoff.init: 1s
# Max backoff defines what the maximum backoff time is. After having backed off multiple times
# from checking the files, the waiting time will never exceed max_backoff independent of the
# backoff factor. Having it set to 10s means in the worst case a new line can be added to a log
# file after having backed off multiple times, it takes a maximum of 10s to read the new line
#backoff.max: 10s
### Harvester closing options
# Close inactive closes the file handler after the predefined period.
# The period starts when the last line of the file was, not the file ModTime.
# Time strings like 2h (2 hours) and 5m (5 minutes) can be used.
#close.on_state_change.inactive: 5m
# Close renamed closes a file handler when the file is renamed or rotated.
# Note: Potential data loss. Make sure to read and understand the docs for this option.
#close.on_state_change.renamed: false
# When enabling this option, a file handler is closed immediately in case a file can't be found
# any more. In case the file shows up again later, harvesting will continue at the last known position
# after scan_frequency.
# By default, it's `true` on Windows and `false` on the rest of the platforms.
#close.on_state_change.removed: false
# Closes the file handler as soon as the harvesters reaches the end of the file.
# By default this option is disabled.
# Note: Potential data loss. Make sure to read and understand the docs for this option.
#close.reader.on_eof: false
# Close timeout closes the harvester after the predefined time.
# This is independent if the harvester did finish reading the file or not.
# By default this option is disabled.
# Note: Potential data loss. Make sure to read and understand the docs for this option.
#close.reader.after_interval: 0
### File deleting options
# Filestream cam delete the file after it has been acknowledged by the output,
# has reached EOF or became inactive.
# Enable deleting the file after the reader is closed
# and all events have been ingested.
#delete.enabled: false
# Grace period to wait before trying to remove a file.
# If data is added during the grace, deletion is cancelled.
# The grace period will re-start next time the close condition
# is reached.
#delete.grace_period: 30m
#----------------------------- Stdin input -------------------------------
# Configuration to use stdin input
#- type: stdin
#------------------------- Redis slowlog input ---------------------------
# Experimental: Config options for the redis slow log input
#- type: redis
#enabled: false
# List of hosts to pool to retrieve the slow log information.
#hosts: ["localhost:6379"]
# How often the input checks for redis slow log.
#scan_frequency: 10s
# Timeout after which time the input should return an error
#timeout: 1s
# Network type to be used for redis connection. Default: tcp
#network: tcp
# Max number of concurrent connections. Default: 10
#maxconn: 10
# Redis AUTH password. Empty by default.
#password: foobared
#------------------------------ Udp input --------------------------------
# Experimental: Config options for the udp input
#- type: udp
#enabled: false
# Number of pipeline workers
#number_of_workers: 1
# Maximum size of the message received over UDP
#max_message_size: 10KiB
# Size of the UDP read buffer in bytes
#read_buffer: 0
#------------------------------ TCP input --------------------------------
# Experimental: Config options for the TCP input
#- type: tcp
#enabled: false
# The host and port to receive the new event
#host: "localhost:9000"
# Character used to split new message
#line_delimiter: "\n"
# Number of pipeline workers
#number_of_workers: 1
# Maximum size in bytes of the message received over TCP
#max_message_size: 20MiB
# Max number of concurrent connections, or 0 for no limit. Default: 0
#max_connections: 0
# The number of seconds of inactivity before a remote connection is closed.
#timeout: 300s
# Use SSL settings for TCP.
#ssl.enabled: true
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for client verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL server authentication.
#ssl.certificate: "/etc/pki/client/cert.pem"
# Server Certificate Key,
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections.
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites.
#ssl.curve_types: []
# Configure what types of client authentication are supported. Valid options
# are `none`, `optional`, and `required`. When `certificate_authorities` is set it will
# default to `required` otherwise it will be set to `none`.
#ssl.client_authentication: "required"
#------------------------------ Kafka input --------------------------------
# Accept events from topics in a Kafka cluster.
#- type: kafka
#enabled: false
# A list of hosts/ports for the initial Kafka brokers.
#hosts:
#- kafka-broker-1:9092
#- kafka-broker-2:9092
# A list of topics to read from.
#topics: ["my-topic", "important-logs"]
# The Kafka consumer group id to use when connecting.
#group_id: "filebeat"
# An optional Kafka client id to attach to Kafka requests.
#client_id: "my-client"
# The version of the Kafka protocol to use.
#version: 1.0
# Set to "newest" to start reading from the most recent message when connecting to a
# new topic, otherwise the input will begin reading at the oldest remaining event.
#initial_offset: oldest
# How long to wait before trying to reconnect to the kafka cluster after a fatal error.
#connect_backoff: 30s
# How long to wait before retrying a failed read.
#consume_backoff: 2s
# Network timeout for the connection to the brokers (dial, read and write).
#timeout: 30s
# Keep-alive period for active network connections (0 disables it).
#keep_alive: 0s
# Consumer group session timeout. Increase for higher-latency consumers to
# avoid spurious rebalances.
#session_timeout: 10s
# How often the consumer sends heartbeats. Must be lower than session_timeout.
#heartbeat_interval: 3s
# How long to wait for the minimum number of input bytes while reading.
#max_wait_time: 250ms
# The Kafka isolation level, "read_uncommitted" or "read_committed".
#isolation_level: read_uncommitted
# Some Kafka deployments such as Microsoft Azure can return multiple events packed into a
# single data field. Set this field to specify where events should be unpacked from.
#expand_event_list_from_field: "records"
# The minimum number of bytes to wait for.
#fetch.min: 1
# The default number of bytes to read per request.
#fetch.default: 1MB
# The maximum number of bytes to read per request (0 for no limit).
#fetch.max: 0
# Consumer rebalance strategy, "range" or "roundrobin"
#rebalance.strategy: "range"
# How long to wait for an attempted rebalance.
#rebalance.timeout: 60s
# How many times to retry if rebalancing fails.
#rebalance.max_retries: 4
# How long to wait after an unsuccessful rebalance attempt.
#rebalance.retry_backoff: 2s
# SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
# Defaults to PLAIN when `username` and `password` are configured.
#sasl.mechanism: ''
# Parsers can be used with the Kafka input. The available parsers are "ndjson" and
# "multiline". See the filestream input configuration for more details.
#parsers:
#- ndjson:
# ...
#- multiline:
# ...
#------------------------------ Syslog input --------------------------------
# Accept RFC3164 formatted syslog event via UDP.
#- type: syslog
#enabled: false
#format: rfc3164
#protocol.udp:
# The host and port to receive the new event
#host: "localhost:9000"
# Maximum size of the message received over UDP
#max_message_size: 10KiB
# Accept RFC5424 formatted syslog event via TCP.
#- type: syslog
#enabled: false
#format: rfc5424
#protocol.tcp:
# The host and port to receive the new event
#host: "localhost:9000"
# Character used to split new message
#line_delimiter: "\n"
# Maximum size in bytes of the message received over TCP
#max_message_size: 20MiB
# The number of seconds of inactivity before a remote connection is closed.
#timeout: 300s
# Use SSL settings for TCP.
#ssl.enabled: true
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for client verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL server authentication.
#ssl.certificate: "/etc/pki/client/cert.pem"
# Server Certificate Key,
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections.
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites.
#ssl.curve_types: []
# Configure what types of client authentication are supported. Valid options
# are `none`, `optional`, and `required`. When `certificate_authorities` is set it will
# default to `required` otherwise it will be set to `none`.
#ssl.client_authentication: "required"
#------------------------------ Container input --------------------------------
#- type: container
#enabled: false
# Paths for container logs that should be crawled and fetched.
#paths:
# -/var/lib/docker/containers/*/*.log
# Configure stream to filter to a specific stream: stdout, stderr or all (default)
#stream: all
#------------------------------ Journald input --------------------------------
# Journald input is experimental.
#- type: journald
#enabled: true
# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id
# Specify paths to read from custom journal files.
# Leave it unset to read the system's journal
# Glob based paths.
#paths:
#- /var/log/custom.journal
# Specify a folder to be used as chroot when calling the journalctl binary
#chroot:
# The path for the `journalctl` binary. If not set, Filebeat will look for
# `journalctl` in PATH (defaults to `journalctl`). When using `chroot`, if
# `journalctl_path` is not explicitly set, it automatically defaults to
# `/usr/bin/journalctl`. If `journalctl_path` is explicitly set when `chroot`
# is configured, it must be an absolute path from within the chroot directory.
#journalctl_path:
# When enabled, log entries will be ingested interleaved from all
# available journals, including remote ones.
#merge: false
# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head
# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h
# Collect events from the service and messages about the service,
# including coredumps.
#units:
#- docker.service
# List of syslog identifiers
#syslog_identifiers: ["audit"]
# The list of transports (_TRANSPORT field of journald entries)
#transports: ["audit"]
# Filter logs by facilities, they must be specified using their numeric code.
#facilities:
#- 1
#- 2
# You may wish to have separate inputs for each service. You can use
# include_matches.match to define a list of filters, each event needs
# to match all filters defined.
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service
# To create a disjunction (logical OR) use the `+` character between
# the filters
#include_matches:
#match:
#- "systemd.transport=kernel"
#- "+"
#- "journald.process.name=systemd"
# Uses the original hostname of the entry instead of the one
# from the host running jounrald
#save_remote_hostname: false
# Parsers are also supported, the possible parsers are:
# container, include_message, multiline, ndjson, syslog.
# Here is an example of the multiline
# parser.
#parsers:
#- multiline:
#type: count
#count_lines: 3