| // Beats TLS configuration options. | |
| package tls | |
| $version: "v8.14.0" | |
| #base64String: =~"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$" | |
| #hexSHA256: =~"^[a-fA-F0-9]{64}$" | |
| #pemCerts: =~"^(?:(?:-+BEGIN CERTIFICATE-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END CERTIFICATE-+\\s*))+$" |
| --- | |
| filebeat.inputs: | |
| # Consume output from | |
| # evtx_dump --dont-show-record-number -o xml <file.evtx> > /tmp/samples/file.evtx.xml | |
| # See https://github.com/omerbenamram/evtx. | |
| - type: filestream | |
| id: evtx_dump_xml | |
| parsers: | |
| - multiline: |
| filebeat.inputs: | |
| - host: localhost:9514 | |
| id: udp-extrahop-cef-9514 | |
| type: udp | |
| processors: | |
| - convert: | |
| mode: copy | |
| fields: | |
| - { from: "message", to: "event.original" } |
| --- | |
| filebeat.inputs: | |
| - type: cel | |
| id: config-123-watcher | |
| interval: 1m | |
| resource: | |
| url: file:///etc/conf.d/foo.conf | |
| program: | | |
| file(state.url).as(content, content.sha256().hex().as(hash, { |
| filebeat.inputs: | |
| - type: journald | |
| processors: | |
| # For https://kubernetes.io/docs/concepts/cluster-administration/system-logs/#json-log-format | |
| - if: | |
| and: | |
| - equals.journald.process.name: kubelet | |
| - regexp.message: '^{' | |
| then: | |
| # 'kubelet' should be mapped as a flattened field in ES because |
| processors: | |
| - script: | |
| # This uses a Beat script processor to include only ipv4 addresses | |
| # in the host.ip field. This would need to placed after the add_host_metadata | |
| # processor. | |
| # | |
| # It would be a lot more efficient to have add_host_metadata allow controlling | |
| # what addresses were included because this has to execute for every event. | |
| # | |
| # References: |
| package main | |
| import ( | |
| "flag" | |
| "log" | |
| "os/user" | |
| "syscall" | |
| "unsafe" | |
| "golang.org/x/sys/windows" |
| winlogbeat.event_logs: | |
| - name: Security | |
| ignore_older: 1h | |
| processors: | |
| - script: | |
| lang: javascript | |
| source: | | |
| var console = require("console"); | |
| var ids = { |
This is an unofficial tutorial that may be useful to users that are in the process of migrating to to Elastic Agent and Fleet. It explains the steps to route some Filebeat data into a data stream managed by a Fleet integration package.
Installing a Fleet integration sets up all of its data streams and dashboards. There are two methods to install. In these examples we install the Hashicorp Vault 1.3.1 integration.
| #!/usr/bin/env bash | |
| # Licensed to Elasticsearch B.V. under one or more contributor | |
| # license agreements. See the NOTICE file distributed with | |
| # this work for additional information regarding copyright | |
| # ownership. Elasticsearch B.V. licenses this file to you under | |
| # the Apache License, Version 2.0 (the "License"); you may | |
| # not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http:#www.apache.org/licenses/LICENSE-2.0 |