Created
October 1, 2023 19:32
-
-
Save andrewkroh/f9d3cac2c987a77b2231e3743b0b1c88 to your computer and use it in GitHub Desktop.
Filebeat CEL input - ingest complete config file when it changes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| filebeat.inputs: | |
| - type: cel | |
| id: config-123-watcher | |
| interval: 1m | |
| resource: | |
| url: file:///etc/conf.d/foo.conf | |
| program: | | |
| file(state.url).as(content, content.sha256().hex().as(hash, { | |
| 'url': state.url, | |
| 'cursor': { | |
| 'sha256': hash, | |
| }, | |
| 'want_more': false, | |
| 'events': has(state.cursor) && has(state.cursor.sha256) && state.cursor.sha256 == hash ? [] : [{ | |
| 'file': { | |
| 'path': state.url.trim_prefix('file://'), | |
| 'hash': { | |
| 'sha256': hash, | |
| } | |
| }, | |
| 'related': { | |
| 'hash': [hash], | |
| }, | |
| 'ecs': {'version': '8.8.0'}, | |
| 'message': string(content), | |
| }], | |
| })) | |
| publisher_pipeline.disable_host: true | |
| output.console.pretty: true | |
| logging: | |
| level: debug | |
| selectors: | |
| - input.cel |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment