Open rdoix13 opened 3 years ago
######################## Filebeat Configuration ############################
#
filebeat.modules:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
module: elasticsearch
server: enabled: true
gc: enabled: true
audit: enabled: true
slowlog: enabled: true
deprecation: enabled: true
module: haproxy
log: enabled: true
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
module: kafka
log: enabled: true
module: kibana
log: enabled: true
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
# var.paths:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
module: nats
log: enabled: true
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#
module: osquery result: enabled: true
osquery.result
. Set to false to copy the fields in the root#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths: ["/var/log/redis/redis-server.log*"]
#enabled: true
# The Redis hosts to connect to.
#var.hosts: ["localhost:6379"]
# Optional, the password to use when connecting to Redis.
#var.password:
#enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Input configuration (advanced). Any input configuration option
# can be added under this section.
#input:
filebeat.inputs:
#
type: log
enabled: false
paths:
host.name
. This option can be set to truetype: filestream
enabled: false
paths:
host.name
. This option can be set to truenone
, optional
, and required
. When certificate_authorities
is set it willrequired
otherwise it will be set to none
.# The host and port to receive the new event
#host: "localhost:9000"
# Maximum size of the message received over UDP
#max_message_size: 10KiB
# The host and port to receive the new event
#host: "localhost:9000"
# Character used to split new message
#line_delimiter: "\n"
# Maximum size in bytes of the message received over TCP
#max_message_size: 20MiB
# The number of seconds of inactivity before a remote connection is closed.
#timeout: 300s
# Use SSL settings for TCP.
#ssl.enabled: true
# List of supported/valid TLS versions. By default all TLS versions 1.0 up to
# 1.2 are enabled.
#ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
# SSL configuration. By default is off.
# List of root certificates for client verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL server authentication.
#ssl.certificate: "/etc/pki/client/cert.pem"
# Server Certificate Key,
#ssl.key: "/etc/pki/client/cert.key"
# Optional passphrase for decrypting the Certificate Key.
#ssl.key_passphrase: ''
# Configure cipher suites to be used for SSL connections.
#ssl.cipher_suites: []
# Configure curve types for ECDHE based cipher suites.
#ssl.curve_types: []
# Configure what types of client authentication are supported. Valid options
# are `none`, `optional`, and `required`. When `certificate_authorities` is set it will
# default to `required` otherwise it will be set to `none`.
#ssl.client_authentication: "required"
#enabled: false
#path: inputs.d/*.yml
#reload.enabled: true
#reload.period: 10s
#enabled: false
#path: modules.d/*.yml
#reload.enabled: true
#reload.period: 10s
# Max number of events the queue can buffer.
#events: 4096
# Hints the minimum number of events stored in the queue,
# before providing a batch of events to the outputs.
# The default value is set to 2048.
# A value of 0 ensures events are immediately available
# to be sent to the outputs.
#flush.min_events: 2048
# Maximum duration after which events are available to the outputs,
# if the number of events stored in the queue is < `flush.min_events`.
#flush.timeout: 1s
# The directory path to store the queue's data.
#path: "${path.data}/diskqueue"
# The maximum space the queue should occupy on disk. Depending on
# input settings, events that exceed this limit are delayed or discarded.
#max_size: 10GB
# The maximum size of a single queue data file. Data in the queue is
# stored in smaller segments that are deleted after all their events
# have been processed.
#segment_size: 1GB
# The number of events to read from disk to memory while waiting for
# the output to request them.
#read_ahead: 512
# The number of events to accept from inputs while waiting for them
# to be written to disk. If event data arrives faster than it
# can be written to disk, this setting prevents it from overflowing
# main memory.
#write_ahead: 2048
# The duration to wait before retrying when the queue encounters a disk
# write error.
#retry_interval: 1s
# The maximum length of time to wait before retrying on a disk write
# error. If the queue encounters repeated errors, it will double the
# length of its retry interval each time, up to this maximum.
#max_retry_interval: 30s
#
#
# The file namespace configures the file path and the file creation settings.
# Once the file exists, the `size`, `page_size` and `prealloc` settings
# will have no more effect.
#file:
# Location of spool file. The default value is ${path.data}/spool.dat.
#path: "${path.data}/spool.dat"
# Configure file permissions if file is created. The default value is 0600.
#permissions: 0600
# File size hint. The spool blocks, once this limit is reached. The default value is 100 MiB.
#size: 100MiB
# The files page size. A file is split into multiple pages of the same size. The default value is 4KiB.
#page_size: 4KiB
# If prealloc is set, the required space for the file is reserved using
# truncate. The default value is true.
#prealloc: true
# Spool writer settings
# Events are serialized into a write buffer. The write buffer is flushed if:
# - The buffer limit has been reached.
# - The configured limit of buffered events is reached.
# - The flush timeout is triggered.
#write:
# Sets the write buffer size.
#buffer_size: 1MiB
# Maximum duration after which events are flushed if the write buffer
# is not full yet. The default value is 1s.
#flush.timeout: 1s
# Number of maximum buffered events. The write buffer is flushed once the
# limit is reached.
#flush.events: 16384
# Configure the on-disk event encoding. The encoding can be changed
# between restarts.
# Valid encodings are: json, ubjson, and cbor.
#codec: cbor
#read:
# Reader flush timeout, waiting for more events to become available, so
# to fill a complete batch as required by the outputs.
# If flush_timeout is 0, all available events are forwarded to the
# outputs immediately.
# The default value is 0s.
#flush.timeout: 0s
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
source
field (by default it expects#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
output.elasticsearch.hosts
andsetup.kibana.host
options.cloud.id
in the Elastic Cloud web UI.output.elasticsearch.username
andoutput.elasticsearch.password
settings. The format is <user>:<pass>
.output.elasticsearch:
hosts: ["localhost:9200"]
http
(default) or https
.#param1: value1
#param2: value2
#
0s
(the default) will#
bulk_max_size
#
%{[type]}
.hash
output.kafka.key
setting or randomly distributes events ifoutput.kafka.key
is not configured.# If enabled, events will only be published to partitions with reachable
# leaders. Default is false.
#reachable_only: false
# Configure alternative event field names used to compute the hash value.
# If empty `output.kafka.key` setting will be used.
# Default value is empty list.
#hash: []
# Pretty-print JSON event
#pretty: false
# Configure escaping HTML symbols in strings.
#escape_html: false
# Max metadata request retry attempts when cluster is in middle of leader
# election. Defaults to 3 retries.
#retry.max: 3
# Wait time between retries during leader elections. Default is 250ms.
#retry.backoff: 250ms
# Refresh metadata interval. Defaults to every 10 minutes.
#refresh_frequency: 10m
# Strategy for fetching the topics metadata from the broker. Default is false.
#full: false
#
# Pretty print json event
#pretty: false
# Configure escaping HTML symbols in strings.
#escape_html: false
#
# Pretty-print JSON event
#pretty: false
# Configure escaping HTML symbols in strings.
#escape_html: false
filebeat
and it generatesfilebeat
, filebeat.1
, filebeat.2
, etc.# Pretty-print JSON event
#pretty: false
# Configure escaping HTML symbols in strings.
#escape_html: false
-setup
CLI flag or the setup
command.kibana
setup.template.settings:
#number_of_shards: 1
#codec: best_compression
#enabled: false
setup.kibana:
#
logging.to_files: true logging.files:
logging.json=true
http
(default) or https
.#param1: value1
#param2: value2
#
monitoring.cloud.id
setting overwrites the monitoring.elasticsearch.hosts
monitoring.cloud.auth
setting overwrites the monitoring.elasticsearch.username
monitoring.elasticsearch.password
settings. The format is <user>:<pass>
.http.user
.# Set to true to enable instrumentation of filebeat.
#enabled: false
# Environment in which filebeat is running on (eg: staging, production, etc.)
#environment: ""
# APM Server hosts to report instrumentation results to.
#hosts:
# - http://localhost:8200
# API Key for the APM Server(s).
# If api_key is set then secret_token will be ignored.
#api_key:
# Secret token for the APM Server(s).
#secret_token:
# Enable profiling of the server, recording profile samples as events.
#
# This feature is experimental.
#profiling:
#cpu:
# Set to true to enable CPU profiling.
#enabled: false
#interval: 60s
#duration: 10s
#heap:
# Set to true to enable heap profiling.
#enabled: false
#interval: 60s
thanks for response, but that's not what I meant in this context it is the configuration in BugHound for elastic SSL not the configuration in the beat file
Hi, want to ask, how to configure to interate with my existing ELK with SSL and username password with BugHound ?
example the script input on filebeat.yml or auditbeat.yml
Thanks