:plugin: beats :type: input :default_codec: plain :plugin-uc: Beats :plugin-singular: Beat /////////////////////////////////////////// START - GENERATED VARIABLES, DO NOT EDIT! /////////////////////////////////////////// :version: %VERSION% :release_date: %RELEASE_DATE% :changelog_url: %CHANGELOG_URL% :include_path: ../../../../logstash/docs/include /////////////////////////////////////////// END - GENERATED VARIABLES, DO NOT EDIT! /////////////////////////////////////////// [id="plugins-{type}s-{plugin}"] === {plugin-uc} input plugin NOTE: The `input-elastic_agent` plugin is the next generation of the `input-beats` plugin. They currently share code and a https://github.com/logstash-plugins/logstash-input-beats[common codebase]. include::{include_path}/plugin_header.asciidoc[] ==== Description This input plugin enables Logstash to receive events from the {plugin-uc} framework. The following example shows how to configure Logstash to listen on port 5044 for incoming {plugin-uc} connections and to index into Elasticsearch. //Example for Beats ifeval::["{plugin}"=="beats"] ["source","sh",subs="attributes"] ----- input { {plugin} { port => 5044 } } output { elasticsearch { hosts => ["http://localhost:9200"] index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1> } } ----- <1> `%{[@metadata][beat]}` sets the first part of the index name to the value of the metadata field and `%{[@metadata][version]}` sets the second part to the {plugin-singular} version. For example: metricbeat-6.1.6. Events indexed into Elasticsearch with the Logstash configuration shown here will be similar to events directly indexed by {plugin-uc} into Elasticsearch. NOTE: If ILM is not being used, set `index` to `%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so Logstash creates an index per day, based on the `@timestamp` value of the events coming from {plugin-uc}. endif::[] //Example for Elastic Agent ifeval::["{plugin}"!="beats"] ["source","sh",subs="attributes"] ----- input { {plugin} { port => 5044 } } output { elasticsearch { hosts => ["http://localhost:9200"] data_stream => "true" } } ----- Events indexed into Elasticsearch with the Logstash configuration shown here will be similar to events directly indexed by {plugin-uc} into Elasticsearch. endif::[] [id="plugins-{type}s-{plugin}-memory"] ===== Memory usage This plugin uses "off-heap" direct memory in addition to heap memory. By default, a JVM's off-heap direct memory limit is the same as the heap size. For example, setting `-Xmx10G` without setting the direct memory limit will allocate `10GB` for heap and an additional `10GB` for direct memory, for a total of `20GB` allocated. You can set the amount of direct memory with `-XX:MaxDirectMemorySize` in {logstash-ref}/jvm-settings.html[Logstash JVM Settings]. Consider setting direct memory to half of the heap size. Setting direct memory too low decreases the performance of ingestion. NOTE: Be sure that heap and direct memory combined does not exceed the total memory available on the server to avoid an OutOfDirectMemoryError //Content for Beats ifeval::["{plugin}"=="beats"] [id="plugins-{type}s-{plugin}-multiline"] ===== Multi-line events If you are shipping events that span multiple lines, you need to use the {filebeat-ref}/multiline-examples.html[configuration options available in Filebeat] to handle multiline events before sending the event data to Logstash. You cannot use the {logstash-ref}/plugins-codecs-multiline.html[Multiline codec plugin] to handle multiline events. Doing so will result in the failure to start Logstash. endif::[] //Content for Beats ifeval::["{plugin}"=="beats"] [id="plugins-{type}s-{plugin}-versioned-indexes"] ==== Versioned indices To minimize the impact of future schema changes on your existing indices and mappings in Elasticsearch, configure the Elasticsearch output to write to versioned indices. The pattern that you specify for the `index` setting controls the index name: [source,yaml] ---- index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" ---- `%{[@metadata][beat]}`:: Sets the first part of the index name to the value of the `beat` metadata field, for example, `filebeat`. `%{[@metadata][version]}`:: Sets the second part of the name to the Beat version, for example, +{logstash_version}+. `%{+YYYY.MM.dd}`:: Sets the third part of the name to a date based on the Logstash `@timestamp` field. This configuration results in daily index names like +filebeat-{logstash_version}-{localdate}+. endif::[] [id="plugins-{type}s-{plugin}-ecs_metadata"] ==== Event enrichment and the Elastic Common Schema (ECS) When decoding {plugin-uc} events, this plugin enriches each event with metadata about the event's source, making this information available during further processing. You can use the <> option to activate or deactivate individual enrichment categories. The location of these enrichment fields depends on whether <> is enabled: - When ECS compatibility is _enabled_, enrichment fields are added in an ECS-compatible structure. - When ECS compatibility is _disabled_, enrichment fields are added in a way that is backward-compatible with this plugin, but is known to clash with the Elastic Common Schema. .`source_metadata` [cols="> described later. NOTE: As of version `7.0.0` of this plugin, a number of previously deprecated settings related to SSL have been removed. Please check out <> for details. [cols="<,<,<",options="header",] |======================================================================= |Setting |Input type|Required | <> |<>|__Deprecated__ | <> |<>|No | <> | <>|No | <> |<>|No | <> |<>|No | <> |<>|No | <> |<>|No | <> |<>|__Deprecated__ | <> |<>|Yes | <> |a valid filesystem path|No | <> |<>|No | <> |<>|No | <> |<>, one of `["none", "optional", "required"]`|No | <> |<>|No | <> |<>|No | <> |a valid filesystem path|No | <> |<>|No | <> |<>|No |======================================================================= Also see <> for a list of options supported by all input plugins.   [id="plugins-{type}s-{plugin}-add_hostname"] ===== `add_hostname` deprecated[6.0.0, The default value has been changed to `false`. In 7.0.0 this setting will be removed] * Value type is <> * Default value is `false` Flag to determine whether to add `host` field to event using the value supplied by the {plugin-singular} in the `hostname` field. [id="plugins-{type}s-{plugin}-client_inactivity_timeout"] ===== `client_inactivity_timeout` * Value type is <> * Default value is `60` Close Idle clients after X seconds of inactivity. [id="plugins-{type}s-{plugin}-ecs_compatibility"] ===== `ecs_compatibility` * Value type is <> * Supported values are: ** `disabled`: unstructured connection metadata added at root level ** `v1`: structured connection metadata added under ECS v1 compliant namespaces ** `v8`: structured connection metadata added under ECS v8 compliant namespaces * Default value depends on which version of Logstash is running: ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default ** Otherwise, the default value is `disabled`. Refer to <> for detailed information. [id="plugins-{type}s-{plugin}-enrich"] ===== `enrich` * Value type is <> ** An <> can also be provided ** Configures which enrichments are applied to each event ** Default value is `[codec_metadata, source_metadata]` that may be extended in future versions of this plugin to include additional enrichments. ** Supported values are: + [cols="2l,5"] |======================================================================= |Enrichment | Description | codec_metadata | Information about how the codec transformed a sequence of bytes into this Event, such as _which_ codec was used. Also, if no codec is explicitly specified, _excluding_ `codec_metadata` from `enrich` will disable `ecs_compatibility` for this plugin. | source_metadata | Information about the _source_ of the event, such as the IP address of the inbound connection this input received the event from | ssl_peer_metadata | Detailed information about the _SSL peer_ we received the event from, such as identity information from the SSL client certificate that was presented when establishing a connection to this input | all | _alias_ to include _all_ available enrichments (including additional enrichments introduced in future versions of this plugin) | none | _alias_ to _exclude_ all available enrichments. Note that, _explicitly_ defining codec with this option will not disable the `ecs_compatibility`, instead it relies on pipeline or codec `ecs_compatibility` configuration. |======================================================================= **Example:** This configuration disables _all_ enrichments: ["source",subs="attributes"] -------------------------------------------------- input { beats { port => 5044 enrich => none } } -------------------------------------------------- Or, to explicitly enable _only_ `source_metadata` and `ssl_peer_metadata` (disabling all others): ["source",subs="attributes"] -------------------------------------------------- input { beats { port => 5044 enrich => [source_metadata, ssl_peer_metadata] } } -------------------------------------------------- [id="plugins-{type}s-{plugin}-event_loop_threads"] ===== `event_loop_threads` * Value type is <> * Defaults to 0. When setting `0`, the actual default is `available_processors * 2` This is an expert-level setting, and generally should not need to be set {plugin-uc} plugin is implemented based on a non-blocking mechanism, requiring a number of event loop and executor threads. The event loop threads are responsible to communicate with clients (accept incoming connections, enqueue/dequeue tasks and respond) and executor threads handle tasks. This configuration intends to limit or increase the number of threads to be created for the event loop. See <> configuration if you need to set executor threads count. [id="plugins-{type}s-{plugin}-executor_threads"] ===== `executor_threads` * Value type is <> * Default value is equal to the number of CPU cores (1 executor thread per CPU core). The number of threads to be used to process incoming {plugin-uc} requests. By default, the {plugin-uc} input creates a number of threads equal to the number of CPU cores. These threads handle incoming connections, reading from established sockets, and executing most of the tasks related to network connection management. Parsing the Lumberjack protocol is offloaded to a dedicated thread pool. Generally you don't need to touch this setting. In case you are sending very large events and observing "OutOfDirectMemory" exceptions, you may want to reduce this number to half or 1/4 of the CPU cores. This change reduces the number of threads decompressing batches of data into direct memory. However, this will only be a mitigating tweak, as the proper solution may require resizing your Logstash deployment, either by increasing number of Logstash nodes or increasing the JVM's Direct Memory. [id="plugins-{type}s-{plugin}-host"] ===== `host` * Value type is <> * Default value is `"0.0.0.0"` The IP address to listen on. [id="plugins-{type}s-{plugin}-include_codec_tag"] ===== `include_codec_tag` deprecated[6.5.0, Replaced by <>] * Value type is <> * Default value is `true` [id="plugins-{type}s-{plugin}-port"] ===== `port` * This is a required setting. * Value type is <> * There is no default value for this setting. The port to listen on. [id="plugins-{type}s-{plugin}-ssl_certificate"] ===== `ssl_certificate` * Value type is <> * There is no default value for this setting. SSL certificate to use. [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"] ===== `ssl_certificate_authorities` * Value type is <> * Default value is `[]` Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure the <> to `optional` or `required` to enable the verification. [id="plugins-{type}s-{plugin}-ssl_cipher_suites"] ===== `ssl_cipher_suites` * Value type is <> * Default value is `['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']` The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions. [id="plugins-{type}s-{plugin}-ssl_client_authentication"] ===== `ssl_client_authentication` * Value can be any of: `none`, `optional`, `required` * Default value is `"none"` Controls the server's behavior in regard to requesting a certificate from client connections: `required` forces a client to present a certificate, while `optional` requests a client certificate but the client is not required to present one. Defaults to `none`, which disables the client authentication. When mutual TLS is enabled (`required` or `optional`), the certificate presented by the client must be signed by trusted <> (CAs). Please note that the server does not validate the client certificate CN (Common Name) or SAN (Subject Alternative Name). NOTE: This setting can be used only if <> is set. [id="plugins-{type}s-{plugin}-ssl_enabled"] ===== `ssl_enabled` * Value type is <> * Default value is `false` Events are by default sent in plain text. You can enable encryption by setting `ssl_enabled` to true and configuring the <> and <> options. [id="plugins-{type}s-{plugin}-ssl_handshake_timeout"] ===== `ssl_handshake_timeout` * Value type is <> * Default value is `10000` Time in milliseconds for an incomplete ssl handshake to timeout [id="plugins-{type}s-{plugin}-ssl_key"] ===== `ssl_key` * Value type is <> * There is no default value for this setting. SSL key to use. This key must be in the PKCS8 format and PEM encoded. You can use the https://www.openssl.org/docs/man1.1.1/man1/openssl-pkcs8.html[openssl pkcs8] command to complete the conversion. For example, the command to convert a PEM encoded PKCS1 private key to a PEM encoded, non-encrypted PKCS8 key is: [source,sh] ----- openssl pkcs8 -inform PEM -in path/to/logstash.key -topk8 -nocrypt -outform PEM -out path/to/logstash.pkcs8.key ----- [id="plugins-{type}s-{plugin}-ssl_key_passphrase"] ===== `ssl_key_passphrase` * Value type is <> * There is no default value for this setting. SSL key passphrase to use. [id="plugins-{type}s-{plugin}-ssl_supported_protocols"] ===== `ssl_supported_protocols` * Value type is <> * Allowed values are: `'TLSv1.1'`, `'TLSv1.2'`, `'TLSv1.3'` * Default depends on the JDK being used. With up-to-date Logstash, the default is `['TLSv1.2', 'TLSv1.3']`. `'TLSv1.1'` is not considered secure and is only provided for legacy applications. List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint. For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the `LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash. NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash, the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list. [id="plugins-{type}s-{plugin}-obsolete-options"] ==== Beats Input Obsolete Configuration Options WARNING: As of version `7.0.0` of this plugin, some configuration options have been replaced. The plugin will fail to start if it contains any of these obsolete options. [cols="<,<",options="header",] |======================================================================= |Setting|Replaced by | cipher_suites |<> | ssl |<> | ssl_peer_metadata |<> | ssl_verify_mode |<> | tls_max_version |<> | tls_min_version |<> |======================================================================= [id="plugins-{type}s-{plugin}-common-options"] include::{include_path}/{type}.asciidoc[] :default_codec!: