- Functionbeat Reference:
- Overview
- Getting Started With Functionbeat
- Setting up and deploying Functionbeat
- Configuring Functionbeat
- Configure functions
- Specify general settings
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure the Kibana endpoint
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- functionbeat.reference.yml
- Exported fields
- Monitoring Functionbeat
- Securing Functionbeat
- Troubleshooting
- Get help
- Debug
- Common problems
- Deployment to AWS fails with "failed to create the stack"
- Deployment to AWS fails with "resource limit exceeded"
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
A newer version is available. For the latest information, see the
current release documentation.
IAM permissions required for Functionbeat deployment
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
IAM permissions required for Functionbeat deployment
editThe role used to deploy Functionbeat to AWS must have the minimum privileges required to deploy and run the Lambda function.
The following sections show example policies that grant the required permissions.
CloudWatch logs
editThe following policy grants the permissions required to deploy and run a Lambda function that collects events from CloudWatch logs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:UpdateStack", "cloudformation:ValidateTemplate", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DeleteSubscriptionFilter", "logs:DescribeLogGroups", "logs:PutSubscriptionFilter", "s3:CreateBucket", "s3:DeleteObject", "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }
SQS and Kinesis
editThe following policy grants the permissions required to deploy and run a Lambda function that reads from SQS queues or Kinesis data streams.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:UpdateStack", "cloudformation:ValidateTemplate", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:CreateFunction", "lambda:CreateEventSourceMapping", "lambda:DeleteFunction", "lambda:DeleteEventSourceMapping", "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "logs:DescribeLogGroups", "logs:CreateLogGroup", "s3:CreateBucket", "s3:DeleteObject", "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }
On this page
Was this helpful?
Thank you for your feedback.