:plugin: beats
:type: input
:default_codec: plain
:plugin-uc: Beats
:plugin-singular: Beat

///////////////////////////////////////////
START - GENERATED VARIABLES, DO NOT EDIT!
///////////////////////////////////////////
:version: %VERSION%
:release_date: %RELEASE_DATE%
:changelog_url: %CHANGELOG_URL%
:include_path: ../../../../logstash/docs/include
///////////////////////////////////////////
END - GENERATED VARIABLES, DO NOT EDIT!
///////////////////////////////////////////

[id="plugins-{type}s-{plugin}"]

=== {plugin-uc} input plugin

NOTE: The `input-elastic_agent` plugin is the next generation of the
`input-beats` plugin. 
They currently share code and a https://github.com/logstash-plugins/logstash-input-beats[common codebase].

include::{include_path}/plugin_header.asciidoc[]

==== Description

This input plugin enables Logstash to receive events from the
{plugin-uc} framework.

The following example shows how to configure Logstash to listen on port
5044 for incoming {plugin-uc} connections and to index into Elasticsearch.

//Example for Beats
ifeval::["{plugin}"=="beats"]
["source","sh",subs="attributes"]
-----

input {
  {plugin} {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
  }
}
-----
<1> `%{[@metadata][beat]}` sets the first part of the index name to the value
of the metadata field and `%{[@metadata][version]}` sets the second part to
the {plugin-singular} version. For example: metricbeat-6.1.6.

Events indexed into Elasticsearch with the Logstash configuration shown here
will be similar to events directly indexed by {plugin-uc} into Elasticsearch.

NOTE: If ILM is not being used, set `index` to
`%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so
Logstash creates an index per day, based on the `@timestamp` value of the events
coming from {plugin-uc}.
endif::[]

//Example for Elastic Agent
ifeval::["{plugin}"!="beats"]
["source","sh",subs="attributes"]
-----

input {
  {plugin} {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    data_stream => "true"
  }
}
-----

Events indexed into Elasticsearch with the Logstash configuration shown here
will be similar to events directly indexed by {plugin-uc} into Elasticsearch.
endif::[]


//Content for Beats
ifeval::["{plugin}"=="beats"]
[id="plugins-{type}s-{plugin}-multiline"]
===== Multi-line events

If you are shipping events that span multiple lines, you need to use
the {filebeat-ref}/multiline-examples.html[configuration options available in
Filebeat] to handle multiline events before sending the event data to Logstash.
You cannot use the {logstash-ref}/plugins-codecs-multiline.html[Multiline codec
plugin] to handle multiline events. Doing so will result in the failure to start
Logstash.
endif::[]

//Content for Beats
ifeval::["{plugin}"=="beats"]
[id="plugins-{type}s-{plugin}-versioned-indexes"]
==== Versioned indices

To minimize the impact of future schema changes on your existing indices and
mappings in Elasticsearch, configure the Elasticsearch output to write to
versioned indices. The pattern that you specify for the `index` setting
controls the index name:

[source,yaml]
----
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
----

`%{[@metadata][beat]}`:: Sets the first part of the index name to the value of
the `beat` metadata field, for example, `filebeat`.
`%{[@metadata][version]}`:: Sets the second part of the name to the Beat
version, for example, +{logstash_version}+.
`%{+YYYY.MM.dd}`:: Sets the third part of the name to a date based on the
Logstash `@timestamp` field.

This configuration results in daily index names like
+filebeat-{logstash_version}-{localdate}+.
endif::[]


[id="plugins-{type}s-{plugin}-ecs_metadata"]
==== Event Metadata and the Elastic Common Schema (ECS)

When decoding {plugin-uc} events, this plugin adds two fields related to the event:
the deprecated `host` which contains the `hostname` provided by {plugin-uc} and the
`ip_address` containing the remote address of the client's connection. When
<<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> is enabled
these are now moved in ECS compatible namespace. Here's how
<<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> affects
output.  

[cols="<l,<l,e,<e"]
|=======================================================================
|ECS `disabled` |ECS `v1`, `v8` |Availability |Description

|[host]                  |[@metadata][input][beats][host][name]   |Always       |Name or address of the {plugin-singular} host
|[@metadata][ip_address] |[@metadata][input][beats][host][ip]     |Always       |IP address of the {plugin-uc} client
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`/`v8`
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|=======================================================================

[id="plugins-{type}s-{plugin}-options"]
==== {plugin-uc} input configuration options

This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.

[cols="<,<,<",options="header",]
|=======================================================================
|Setting |Input type|Required
| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
| <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
| <<plugins-{type}s-{plugin}-executor_threads>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
| <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
| <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
|=======================================================================

Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
input plugins.

&nbsp;

[id="plugins-{type}s-{plugin}-add_hostname"]
===== `add_hostname`

  deprecated[6.0.0, The default value has been changed to `false`. In 7.0.0 this setting will be removed]

  * Value type is <<boolean,boolean>>
  * Default value is `false`

Flag to determine whether to add `host` field to event using the value supplied by the {plugin-singular} in the `hostname` field.


[id="plugins-{type}s-{plugin}-cipher_suites"]
===== `cipher_suites`

  * Value type is <<array,array>>
  * Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`

The list of ciphers suite to use, listed by priorities.

[id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
===== `client_inactivity_timeout`

  * Value type is <<number,number>>
  * Default value is `60`

Close Idle clients after X seconds of inactivity.

[id="plugins-{type}s-{plugin}-ecs_compatibility"]
===== `ecs_compatibility`

* Value type is <<string,string>>
* Supported values are:
** `disabled`: unstructured connection metadata added at root level
** `v1`: structured connection metadata added under ECS v1 compliant namespaces
** `v8`: structured connection metadata added under ECS v8 compliant namespaces
* Default value depends on which version of Logstash is running:
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
** Otherwise, the default value is `disabled`.

Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed information.

[id="plugins-{type}s-{plugin}-executor_threads"]
===== `executor_threads`

  * Value type is <<number,number>>
  * Default value is 1 executor thread per CPU core

The number of threads to be used to process incoming beats requests.
By default Beats input will create a number of threads equals to 2*CPU cores to handle incoming connections,
reading from the established sockets and execute most of the tasks related to network connection managements, 
except the parsing of Lumberjack protocol that's offloaded to a dedicated thread pool.

Generally you don't need to touch this setting.
In case you are sending very large events and observing "OutOfDirectMemory" exceptions,
you may want to reduce this number to half or 1/4 of the CPU cores.
This will reduce the number of threads decompressing batches of data into direct memory.
However, this will only be a mitigating tweak, as the proper solution may require resizing your Logstash deployment,
either by increasing number of Logstash nodes or increasing the JVM's Direct Memory.

[id="plugins-{type}s-{plugin}-host"]
===== `host`

  * Value type is <<string,string>>
  * Default value is `"0.0.0.0"`

The IP address to listen on.

[id="plugins-{type}s-{plugin}-include_codec_tag"]
===== `include_codec_tag`

  * Value type is <<boolean,boolean>>
  * Default value is `true`



[id="plugins-{type}s-{plugin}-port"]
===== `port`

  * This is a required setting.
  * Value type is <<number,number>>
  * There is no default value for this setting.

The port to listen on.

[id="plugins-{type}s-{plugin}-ssl"]
===== `ssl`

  * Value type is <<boolean,boolean>>
  * Default value is `false`

Events are by default sent in plain text. You can
enable encryption by setting `ssl` to true and configuring
the `ssl_certificate` and `ssl_key` options.

[id="plugins-{type}s-{plugin}-ssl_certificate"]
===== `ssl_certificate`

  * Value type is <<path,path>>
  * There is no default value for this setting.

SSL certificate to use.

[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
===== `ssl_certificate_authorities`

  * Value type is <<array,array>>
  * Default value is `[]`

Validate client certificates against these authorities.
You can define multiple files or paths. All the certificates will
be read and added to the trust store. You need to configure the `ssl_verify_mode`
to `peer` or `force_peer` to enable the verification.


[id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
===== `ssl_handshake_timeout`

  * Value type is <<number,number>>
  * Default value is `10000`

Time in milliseconds for an incomplete ssl handshake to timeout

[id="plugins-{type}s-{plugin}-ssl_key"]
===== `ssl_key`

  * Value type is <<path,path>>
  * There is no default value for this setting.

SSL key to use.
NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
for more information.

[id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
===== `ssl_key_passphrase`

  * Value type is <<password,password>>
  * There is no default value for this setting.

SSL key passphrase to use.

[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
===== `ssl_verify_mode`

  * Value can be any of: `none`, `peer`, `force_peer`
  * Default value is `"none"`

By default the server doesn't do any client verification.

`peer` will make the server ask the client to provide a certificate.
If the client provides a certificate, it will be validated.

`force_peer` will make the server ask the client to provide a certificate.
If the client doesn't provide a certificate, the connection will be closed.

This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.

[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
===== `ssl_peer_metadata`

  * Value type is <<boolean,boolean>>
  * Default value is `false`

Enables storing client certificate information in event's metadata.

This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.

[id="plugins-{type}s-{plugin}-tls_max_version"]
===== `tls_max_version`

  * Value type is <<number,number>>
  * Default value is `1.2`

The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2

[id="plugins-{type}s-{plugin}-tls_min_version"]
===== `tls_min_version`

  * Value type is <<number,number>>
  * Default value is `1`

The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2



[id="plugins-{type}s-{plugin}-common-options"]
include::{include_path}/{type}.asciidoc[]

:default_codec!: