- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode CEF
- Decode CSV fields
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Script Processor
- Timestamp
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Beats central management
- Modules
- Modules overview
- Apache module
- Auditd module
- AWS module
- CEF module
- Cisco module
- Coredns Module
- Elasticsearch module
- Envoyproxy Module
- Google Cloud module
- haproxy module
- IBM MQ module
- Icinga module
- IIS module
- Iptables module
- Kafka module
- Kibana module
- Logstash module
- MongoDB module
- MSSQL module
- MySQL module
- nats module
- NetFlow module
- Nginx module
- Osquery module
- Palo Alto Networks module
- PostgreSQL module
- RabbitMQ module
- Redis module
- Santa module
- Suricata module
- System module
- Traefik module
- Zeek (Bro) Module
- Exported fields
- Apache fields
- Auditd fields
- AWS fields
- Beat fields
- Decode CEF processor fields fields
- CEF fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Docker fields
- ECS fields
- elasticsearch fields
- Envoyproxy fields
- Google Cloud fields
- haproxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- mssql fields
- MySQL fields
- nats fields
- NetFlow fields
- NetFlow fields
- Nginx fields
- Osquery fields
- panw fields
- PostgreSQL fields
- Process fields
- RabbitMQ fields
- Redis fields
- s3 fields
- Google Santa fields
- Suricata fields
- System fields
- Traefik fields
- Zeek fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Get help
- Debug
- Common problems
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Contributing to Beats
Specify SSL settings
editSpecify SSL settings
editYou can specify SSL options when you configure:
- outputs that support SSL
- the Kibana endpoint
Example output config with SSL enabled:
output.elasticsearch.hosts: ["https://192.168.1.42:9200"] output.elasticsearch.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] output.elasticsearch.ssl.certificate: "/etc/pki/client/cert.pem" output.elasticsearch.ssl.key: "/etc/pki/client/cert.key"
Also see Secure communication with Logstash.
Example Kibana endpoint config with SSL enabled:
setup.kibana.host: "https://192.0.2.255:5601" setup.kibana.ssl.enabled: true setup.kibana.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] setup.kibana.ssl.certificate: "/etc/pki/client/cert.pem" setup.kibana.ssl.key: "/etc/pki/client/cert.key"
Configuration options
editYou can specify the following options in the ssl section of the filebeat.yml config file:
enabled
editThe enabled setting can be used to disable the ssl configuration by setting
it to false. The default value is true.
SSL settings are disabled if either enabled is set to false or the
ssl section is missing.
certificate_authorities
editThe list of root certificates for server verifications. If certificate_authorities is empty or not set, the trusted certificate authorities of the host system are used.
certificate: "/etc/pki/client/cert.pem"
editThe path to the certificate for SSL client authentication. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server.
When this option is configured, the key option is also required.
key: "/etc/pki/client/cert.key"
editThe client certificate key used for client authentication. This option is required if certificate is specified.
key_passphrase
editThe passphrase used to decrypt an encrypted key stored in the configured key file.
supported_protocols
editList of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions
not configured, the connection will be dropped during or after the handshake. The
setting is a list of allowed protocol versions:
SSLv3, TLSv1 for TLS version 1.0, TLSv1.0, TLSv1.1 and TLSv1.2.
The default value is [TLSv1.1, TLSv1.2].
verification_mode
editThis option controls whether the client verifies server certificates and host
names. Valid values are none and full. If verification_mode is set
to none, all server host names and certificates are accepted. In this mode,
TLS-based connections are susceptible to man-in-the-middle attacks. Use this
option for testing only.
The default is full.
cipher_suites
editThe list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended).
The following cipher suites are available:
- ECDHE-ECDSA-AES-128-CBC-SHA
- ECDHE-ECDSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default)
- ECDHE-ECDSA-AES-128-GCM-SHA256 (TLS 1.2 only)
- ECDHE-ECDSA-AES-256-CBC-SHA
- ECDHE-ECDSA-AES-256-GCM-SHA384 (TLS 1.2 only)
- ECDHE-ECDSA-CHACHA20-POLY1305 (TLS 1.2 only)
- ECDHE-ECDSA-RC4-128-SHA (disabled by default - RC4 not recommended)
- ECDHE-RSA-3DES-CBC3-SHA
- ECDHE-RSA-AES-128-CBC-SHA
- ECDHE-RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default)
- ECDHE-RSA-AES-128-GCM-SHA256 (TLS 1.2 only)
- ECDHE-RSA-AES-256-CBC-SHA
- ECDHE-RSA-AES-256-GCM-SHA384 (TLS 1.2 only)
- ECDHE-RSA-CHACHA20-POLY1205 (TLS 1.2 only)
- ECDHE-RSA-RC4-128-SHA (disabled by default- RC4 not recommended)
- RSA-3DES-CBC3-SHA
- RSA-AES-128-CBC-SHA
- RSA-AES-128-CBC-SHA256 (TLS 1.2 only, disabled by default)
- RSA-AES-128-GCM-SHA256 (TLS 1.2 only)
- RSA-AES-256-CBC-SHA
- RSA-AES-256-GCM-SHA384 (TLS 1.2 only)
- RSA-RC4-128-SHA (disabled by default - RC4 not recommended)
Here is a list of acronyms used in defining the cipher suites:
- 3DES: Cipher suites using triple DES
- AES-128/256: Cipher suites using AES with 128/256-bit keys.
- CBC: Cipher using Cipher Block Chaining as block cipher mode.
- ECDHE: Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
- ECDSA: Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
- GCM: Galois/Counter mode is used for symmetric key cryptography.
- RC4: Cipher suites using RC4.
- RSA: Cipher suites using RSA.
- SHA, SHA256, SHA384: Cipher suites using SHA-1, SHA-256 or SHA-384.
curve_types
editThe list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).
The following elliptic curve types are available:
- P-256
- P-384
- P-521
- X25519
renegotiation
editThis configures what types of TLS renegotiation are supported. The valid options
are never, once, and freely. The default value is never.
-
never- Disables renegotiation. -
once- Allows a remote server to request renegotiation once per connection. -
freely- Allows a remote server to repeatedly request renegotiation.
client_authentication
editThis configures what types of client authentication are supported. The valid options
are none, optional, and required. When certificate_authorities is set it will
default to required otherwise it will be set to none.
This option is only valid with the TCP or the Syslog input.
-
none- Disables client authentication. -
optional- When a client certificate is given, the server will verify it. -
required- Will require clients to provide a valid certificate.
On this page