- Packetbeat Reference: other versions:
- Overview
- Getting started with Packetbeat
- Setting up and running Packetbeat
- Upgrading Packetbeat
- Configuring Packetbeat
- Set traffic capturing options
- Set up flows to monitor network traffic
- Specify which transaction protocols to monitor
- Specify which processes to monitor
- Specify general settings
- Configure the internal queue
- Configure the output
- Set up index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Enrich events with geoIP information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- HTTP Endpoint
- packetbeat.reference.yml
- Exported fields
- Alias fields
- AMQP fields
- Beat fields
- Cassandra fields
- Cloud provider metadata fields
- Common fields
- DHCPv4 fields
- DNS fields
- Docker fields
- Flow Event fields
- Host fields
- HTTP fields
- ICMP fields
- Kubernetes fields
- Memcache fields
- MongoDb fields
- MySQL fields
- NFS fields
- PostgreSQL fields
- Raw fields
- Redis fields
- Thrift-RPC fields
- TLS fields
- Transaction Event fields
- Measurements (Transactions) fields
- Monitoring Packetbeat
- Securing Packetbeat
- Visualizing Packetbeat data in Kibana
- Troubleshooting
- Contributing to Beats
NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Configure the Redis output
editConfigure the Redis output
editThe Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the Redis input plugin for Logstash.
Example configuration:
output.redis: hosts: ["localhost"] password: "my_password" key: "packetbeat" db: 0 timeout: 5
Compatibility
editThis output works with Redis 3.2.4.
Configuration options
editYou can specify the following options in the redis
section of the packetbeat.yml
config file:
enabled
editThe enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.
The default value is true.
hosts
editThe list of Redis servers to connect to. If load balancing is enabled, the events are
distributed to the servers in the list. If one server becomes unreachable, the events are
distributed to the reachable servers only. You can define each Redis server by specifying
HOST
or HOST:PORT
. For example: "192.15.3.2"
or "test.redis.io:12345"
. If you
don’t specify a port number, the value configured by port
is used.
port
editDeprecated in 5.0.0.
The Redis port to use if hosts
does not contain a port number. The default is 6379.
index
editThe index name added to the events metadata for use by Logstash. The default is "packetbeat".
key
editThe name of the Redis list or channel the events are published to. If not
configured, the value of the index
setting is used.
You can set the key dynamically by using a format string to access any event
field. For example, this configuration uses a custom field, fields.list
, to
set the Redis list key. If fields.list
is missing, fallback
is used:
output.redis: hosts: ["localhost"] key: "%{[fields.list]:fallback}"
To learn how to add custom fields to events, see the
fields
option.
See the keys
setting for other ways to set the key
dynamically.
keys
editAn array of key selector rules. Each rule specifies the key
to use for events
that match the rule. During publishing, Packetbeat uses the first matching
rule in the array. Rules can contain conditionals, format string-based fields,
and name mappings. If the keys
setting is missing or no rule matches, the
key
setting is used.
Rule settings:
-
index
-
The key format string to use. If this string contains field
references, such as
%{[fields.name]}
, the fields must exist, or the rule fails. -
mappings
-
A dictionary that takes the value returned by
key
and maps it to a new name. -
default
-
The default string value to use if
mappings
does not find a match. -
when
- A condition that must succeed in order to execute the current rule. All the conditions supported by processors are also supported here.
Example keys
settings:
output.redis: hosts: ["localhost"] key: "default_list" keys: - key: "info_list" # send to info_list if `message` field contains INFO when.contains: message: "INFO" - key: "debug_list" # send to debug_list if `message` field contains DEBUG when.contains: message: "DEBUG" - key: "%{[fields.list]}" mappings: http: "frontend_list" nginx: "frontend_list" mysql: "backend_list"
password
editThe password to authenticate with. The default is no authentication.
db
editThe Redis database number where the events are published. The default is 0.
datatype
editThe Redis data type to use for publishing events.If the data type is list
, the
Redis RPUSH command is used and all events are added to the list with the key defined under key
.
If the data type channel
is used, the Redis PUBLISH
command is used and means that all events
are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under key
.
The default value is list
.
codec
editOutput codec configuration. If the codec
section is missing, events will be json encoded.
See Change the output codec for more information.
host_topology
edit[5.0.0] Deprecated in 5.0.0.
The Redis host to connect to when using topology map support. Topology map support is disabled if this option is not set.
password_topology
edit[5.0.0] Deprecated in 5.0.0.
The password to use for authenticating with the Redis topology server. The default is no authentication.
db_topology
edit[5.0.0] Deprecated in 5.0.0.
The Redis database number where the topology information is stored. The default is 1.
worker
editThe number of workers to use for each host configured to publish events to Redis. Use this setting along with the
loadbalance
option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).
loadbalance
editIf set to true and multiple hosts or workers are configured, the output plugin load balances published events onto all Redis hosts. If set to false, the output plugin sends all events to only one host (determined at random) and will switch to another host if the currently selected one becomes unreachable. The default value is true.
timeout
editThe Redis connection timeout in seconds. The default is 5 seconds.
backoff.init
editThe number of seconds to wait before trying to reconnect to Redis after
a network error. After waiting backoff.init
seconds, Packetbeat tries to
reconnect. If the attempt fails, the backoff timer is increased exponentially up
to backoff.max
. After a successful connection, the backoff timer is reset. The
default is 1s.
backoff.max
editThe maximum number of seconds to wait before attempting to connect to Redis after a network error. The default is 60s.
max_retries
editThe number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.
Set max_retries
to a value less than 0 to retry until all events are published.
The default is 3.
bulk_max_size
editThe maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.
If the Beat sends single events, the events are collected into batches. If the
Beat publishes a large batch of events (larger than the value specified by
bulk_max_size
), the batch is split.
Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.
Setting bulk_max_size
to values less than or equal to 0 disables the
splitting of batches. When splitting is disabled, the queue decides on the
number of events to be contained in a batch.
ssl
editConfiguration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example stunnel). See Specify SSL settings for more information.
proxy_url
editThe URL of the SOCKS5 proxy to use when connecting to the Redis servers. The
value must be a URL with a scheme of socks5://
. You cannot use a web proxy
because the protocol used to communicate with Redis is not based on HTTP.
If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.
When using a proxy, hostnames are resolved on the proxy server instead of on the
client. You can change this behavior by setting the
proxy_use_local_resolver
option.
proxy_use_local_resolver
editThis option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.
On this page