logstash-input-beats 6.1.0-java → 6.1.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -3
- data/VERSION +1 -1
- data/docs/agent.asciidoc +320 -0
- data/docs/index.asciidoc +14 -16
- data/lib/logstash-input-beats_jars.rb +1 -1
- data/spec/inputs/beats/decoded_event_transform_spec.rb +2 -2
- data/spec/inputs/beats_spec.rb +5 -5
- data/spec/integration/filebeat_spec.rb +9 -9
- data/spec/integration/logstash_forwarder_spec.rb +1 -1
- data/spec/support/shared_examples.rb +12 -12
- data/vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/{6.1.0/logstash-input-beats-6.1.0.jar → 6.1.1/logstash-input-beats-6.1.1.jar} +0 -0
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6def71232c684cd74e5be5913809fbfa34a5922f600e433174ebe323525d7936
|
4
|
+
data.tar.gz: 27f0ebc4bd488cc3ccd64cec8a64194eae87484f6af55d02a00fae95dcaae45c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 10b2fdc15611ca30aaba8fafb79b53588188788a96ca6a906fbef53c2c9d6f950e56ba53e0c961c1edb09c3d85a70f91f4b58b7979cf9b77f9894e25220e1733
|
7
|
+
data.tar.gz: dfc2a89ffba6de5955d2bfd6c8c0862d5d594d4762a4a608da64d85017e0b46086bc0028b3c89717d19839a36c7261348ab498123f2caa313e060ee7ffe2811a
|
data/CHANGELOG.md
CHANGED
@@ -1,7 +1,10 @@
|
|
1
|
+
## 6.1.1
|
2
|
+
- [DOC] Enhanced ECS compatibility information for ease of use and readability
|
3
|
+
[#413](https://github.com/logstash-plugins/logstash-input-beats/pull/413)
|
4
|
+
|
1
5
|
## 6.1.0
|
2
|
-
- ECS compatibility enablement
|
3
|
-
|
4
|
-
`host` and `@metadata.ip_address` event fields. [404](https://github.com/logstash-plugins/logstash-input-beats/pull/404)
|
6
|
+
- ECS compatibility enablement. Adds `ecs_compatibility` setting to declare the level of ECS compatibility (`disabled` or `v1`) at plugin level. When `disabled`, the plugin behaves like before, while `v1` does a rename of
|
7
|
+
`host` and `@metadata.ip_address` event fields. [#404](https://github.com/logstash-plugins/logstash-input-beats/pull/404)
|
5
8
|
|
6
9
|
## 6.0.14
|
7
10
|
- Feat: log + unwrap generic SSL context exceptions [#405](https://github.com/logstash-plugins/logstash-input-beats/pull/405)
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.1.
|
1
|
+
6.1.1
|
data/docs/agent.asciidoc
ADDED
@@ -0,0 +1,320 @@
|
|
1
|
+
:plugin: agent
|
2
|
+
:type: input
|
3
|
+
:default_codec: plain
|
4
|
+
|
5
|
+
///////////////////////////////////////////
|
6
|
+
START - GENERATED VARIABLES, DO NOT EDIT!
|
7
|
+
///////////////////////////////////////////
|
8
|
+
|
9
|
+
// Copied from Beats generated plugin output.
|
10
|
+
// Not actively generated at this time!
|
11
|
+
|
12
|
+
////
|
13
|
+
:version: %VERSION%
|
14
|
+
:release_date: %RELEASE_DATE%
|
15
|
+
:changelog_url: %CHANGELOG_URL%
|
16
|
+
:include_path: ../../../../logstash/docs/include
|
17
|
+
////
|
18
|
+
|
19
|
+
///////////////////////////////////////////
|
20
|
+
END - GENERATED VARIABLES, DO NOT EDIT!
|
21
|
+
///////////////////////////////////////////
|
22
|
+
|
23
|
+
[id="plugins-{type}s-{plugin}"]
|
24
|
+
|
25
|
+
=== Agent input plugin
|
26
|
+
|
27
|
+
include::{include_path}/plugin_header.asciidoc[]
|
28
|
+
|
29
|
+
==== Description
|
30
|
+
|
31
|
+
This input plugin enables Logstash to receive events from the
|
32
|
+
https://www.elastic.co/products/beats[Elastic Beats] framework.
|
33
|
+
|
34
|
+
The following example shows how to configure Logstash to listen on port
|
35
|
+
5044 for incoming Beats connections and to index into Elasticsearch.
|
36
|
+
|
37
|
+
[source,logstash]
|
38
|
+
-----
|
39
|
+
|
40
|
+
input {
|
41
|
+
beats {
|
42
|
+
port => 5044
|
43
|
+
}
|
44
|
+
}
|
45
|
+
|
46
|
+
output {
|
47
|
+
elasticsearch {
|
48
|
+
hosts => ["http://localhost:9200"]
|
49
|
+
index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
|
50
|
+
}
|
51
|
+
}
|
52
|
+
-----
|
53
|
+
<1> `%{[@metadata][beat]}` sets the first part of the index name to the value
|
54
|
+
of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to
|
55
|
+
the Beat's version. For example:
|
56
|
+
metricbeat-7.4.0.
|
57
|
+
|
58
|
+
Events indexed into Elasticsearch with the Logstash configuration shown here
|
59
|
+
will be similar to events directly indexed by Beats into Elasticsearch.
|
60
|
+
|
61
|
+
NOTE: If ILM is not being used, set `index` to
|
62
|
+
`%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so
|
63
|
+
Logstash creates an index per day, based on the `@timestamp` value of the events
|
64
|
+
coming from Beats.
|
65
|
+
|
66
|
+
IMPORTANT: If you are shipping events that span multiple lines, you need to use
|
67
|
+
the {filebeat-ref}/multiline-examples.html[configuration options available in
|
68
|
+
Filebeat] to handle multiline events before sending the event data to Logstash.
|
69
|
+
You cannot use the {logstash-ref}/plugins-codecs-multiline.html[Multiline codec
|
70
|
+
plugin] to handle multiline events. Doing so will result in the failure to start
|
71
|
+
Logstash.
|
72
|
+
|
73
|
+
[id="plugins-{type}s-{plugin}-versioned-indexes"]
|
74
|
+
==== Versioned Beats Indices
|
75
|
+
|
76
|
+
To minimize the impact of future schema changes on your existing indices and
|
77
|
+
mappings in Elasticsearch, configure the Elasticsearch output to write to
|
78
|
+
versioned indices. The pattern that you specify for the `index` setting
|
79
|
+
controls the index name:
|
80
|
+
|
81
|
+
[source,yaml]
|
82
|
+
----
|
83
|
+
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
|
84
|
+
----
|
85
|
+
|
86
|
+
`%{[@metadata][beat]}`:: Sets the first part of the index name to the value of
|
87
|
+
the `beat` metadata field, for example, `filebeat`.
|
88
|
+
`%{[@metadata][version]}`:: Sets the second part of the name to the Beat
|
89
|
+
version, for example, +{logstash_version}+.
|
90
|
+
`%{+YYYY.MM.dd}`:: Sets the third part of the name to a date based on the
|
91
|
+
Logstash `@timestamp` field.
|
92
|
+
|
93
|
+
This configuration results in daily index names like
|
94
|
+
+filebeat-{logstash_version}-{localdate}+.
|
95
|
+
|
96
|
+
|
97
|
+
[id="plugins-{type}s-{plugin}-ecs_metadata"]
|
98
|
+
==== Event Metadata and the Elastic Common Schema (ECS)
|
99
|
+
When decoding `beats` events, this plugin adds two fields related to the event: the deprecated `host`
|
100
|
+
which contains the `hostname` provided by beats and the `ip_address` containing the remote address
|
101
|
+
of the client's connection. When <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> is
|
102
|
+
enabled these are now moved in ECS compatible namespace.
|
103
|
+
|
104
|
+
[id="plugins-{type}s-{plugin}-options"]
|
105
|
+
==== Agent Input Configuration Options
|
106
|
+
|
107
|
+
This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
|
108
|
+
|
109
|
+
[cols="<,<,<",options="header",]
|
110
|
+
|=======================================================================
|
111
|
+
|Setting |Input type|Required
|
112
|
+
| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|No
|
113
|
+
| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
|
114
|
+
| <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
|
115
|
+
| <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
|
116
|
+
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
|
117
|
+
| <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|No
|
118
|
+
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
|
119
|
+
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
|
120
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
|
121
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
|
122
|
+
| <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
|
123
|
+
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
|
124
|
+
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
125
|
+
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
|
126
|
+
| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
|
127
|
+
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
|
128
|
+
| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
|
129
|
+
|=======================================================================
|
130
|
+
|
131
|
+
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
132
|
+
input plugins.
|
133
|
+
|
134
|
+
|
135
|
+
|
136
|
+
[id="plugins-{type}s-{plugin}-add_hostname"]
|
137
|
+
===== `add_hostname`
|
138
|
+
|
139
|
+
deprecated[6.0.0, The default value has been changed to `false`. In 7.0.0 this setting will be removed]
|
140
|
+
|
141
|
+
* Value type is <<boolean,boolean>>
|
142
|
+
* Default value is `false`
|
143
|
+
|
144
|
+
Flag to determine whether to add `host` field to event using the value supplied by the beat in the `hostname` field.
|
145
|
+
|
146
|
+
|
147
|
+
[id="plugins-{type}s-{plugin}-cipher_suites"]
|
148
|
+
===== `cipher_suites`
|
149
|
+
|
150
|
+
* Value type is <<array,array>>
|
151
|
+
* Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
|
152
|
+
|
153
|
+
The list of ciphers suite to use, listed by priorities.
|
154
|
+
|
155
|
+
[id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
|
156
|
+
===== `client_inactivity_timeout`
|
157
|
+
|
158
|
+
* Value type is <<number,number>>
|
159
|
+
* Default value is `60`
|
160
|
+
|
161
|
+
Close Idle clients after X seconds of inactivity.
|
162
|
+
|
163
|
+
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
164
|
+
===== `ecs_compatibility`
|
165
|
+
|
166
|
+
* Value type is <<string,string>>
|
167
|
+
* Supported values are:
|
168
|
+
** `disabled`: unstructured connection metadata added at root level
|
169
|
+
** `v1`: structured connection metadata added under ECS compliant namespaces
|
170
|
+
* Default value depends on which version of Logstash is running:
|
171
|
+
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
172
|
+
** Otherwise, the default value is `disabled`.
|
173
|
+
|
174
|
+
Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
|
175
|
+
The value of this setting affects the keys for the Beats connection's metadata on the event:
|
176
|
+
|
177
|
+
.Metadata Location by `ecs_compatibility` value
|
178
|
+
[cols="<l,<l,e,<e"]
|
179
|
+
|=======================================================================
|
180
|
+
|`disabled` |`v1` |Availability |Description
|
181
|
+
|
182
|
+
|[host] |[@metadata][input][beats][host][name] |Always |Name or address of the beat host
|
183
|
+
|[@metadata][ip_address] |[@metadata][input][beats][host][ip] |Always |IP address of the Beats client
|
184
|
+
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
|
185
|
+
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|
186
|
+
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|
187
|
+
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|
188
|
+
|=======================================================================
|
189
|
+
|
190
|
+
[id="plugins-{type}s-{plugin}-host"]
|
191
|
+
===== `host`
|
192
|
+
|
193
|
+
* Value type is <<string,string>>
|
194
|
+
* Default value is `"0.0.0.0"`
|
195
|
+
|
196
|
+
The IP address to listen on.
|
197
|
+
|
198
|
+
[id="plugins-{type}s-{plugin}-include_codec_tag"]
|
199
|
+
===== `include_codec_tag`
|
200
|
+
|
201
|
+
* Value type is <<boolean,boolean>>
|
202
|
+
* Default value is `true`
|
203
|
+
|
204
|
+
|
205
|
+
|
206
|
+
[id="plugins-{type}s-{plugin}-port"]
|
207
|
+
===== `port`
|
208
|
+
|
209
|
+
* This is a required setting.
|
210
|
+
* Value type is <<number,number>>
|
211
|
+
* There is no default value for this setting.
|
212
|
+
|
213
|
+
The port to listen on.
|
214
|
+
|
215
|
+
[id="plugins-{type}s-{plugin}-ssl"]
|
216
|
+
===== `ssl`
|
217
|
+
|
218
|
+
* Value type is <<boolean,boolean>>
|
219
|
+
* Default value is `false`
|
220
|
+
|
221
|
+
Events are by default sent in plain text. You can
|
222
|
+
enable encryption by setting `ssl` to true and configuring
|
223
|
+
the `ssl_certificate` and `ssl_key` options.
|
224
|
+
|
225
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate"]
|
226
|
+
===== `ssl_certificate`
|
227
|
+
|
228
|
+
* Value type is <<path,path>>
|
229
|
+
* There is no default value for this setting.
|
230
|
+
|
231
|
+
SSL certificate to use.
|
232
|
+
|
233
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
|
234
|
+
===== `ssl_certificate_authorities`
|
235
|
+
|
236
|
+
* Value type is <<array,array>>
|
237
|
+
* Default value is `[]`
|
238
|
+
|
239
|
+
Validate client certificates against these authorities.
|
240
|
+
You can define multiple files or paths. All the certificates will
|
241
|
+
be read and added to the trust store. You need to configure the `ssl_verify_mode`
|
242
|
+
to `peer` or `force_peer` to enable the verification.
|
243
|
+
|
244
|
+
|
245
|
+
[id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
|
246
|
+
===== `ssl_handshake_timeout`
|
247
|
+
|
248
|
+
* Value type is <<number,number>>
|
249
|
+
* Default value is `10000`
|
250
|
+
|
251
|
+
Time in milliseconds for an incomplete ssl handshake to timeout
|
252
|
+
|
253
|
+
[id="plugins-{type}s-{plugin}-ssl_key"]
|
254
|
+
===== `ssl_key`
|
255
|
+
|
256
|
+
* Value type is <<path,path>>
|
257
|
+
* There is no default value for this setting.
|
258
|
+
|
259
|
+
SSL key to use.
|
260
|
+
NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
|
261
|
+
for more information.
|
262
|
+
|
263
|
+
[id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
|
264
|
+
===== `ssl_key_passphrase`
|
265
|
+
|
266
|
+
* Value type is <<password,password>>
|
267
|
+
* There is no default value for this setting.
|
268
|
+
|
269
|
+
SSL key passphrase to use.
|
270
|
+
|
271
|
+
[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
|
272
|
+
===== `ssl_verify_mode`
|
273
|
+
|
274
|
+
* Value can be any of: `none`, `peer`, `force_peer`
|
275
|
+
* Default value is `"none"`
|
276
|
+
|
277
|
+
By default the server doesn't do any client verification.
|
278
|
+
|
279
|
+
`peer` will make the server ask the client to provide a certificate.
|
280
|
+
If the client provides a certificate, it will be validated.
|
281
|
+
|
282
|
+
`force_peer` will make the server ask the client to provide a certificate.
|
283
|
+
If the client doesn't provide a certificate, the connection will be closed.
|
284
|
+
|
285
|
+
This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
|
286
|
+
|
287
|
+
[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
|
288
|
+
===== `ssl_peer_metadata`
|
289
|
+
|
290
|
+
* Value type is <<boolean,boolean>>
|
291
|
+
* Default value is `false`
|
292
|
+
|
293
|
+
Enables storing client certificate information in event's metadata.
|
294
|
+
|
295
|
+
This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
|
296
|
+
|
297
|
+
[id="plugins-{type}s-{plugin}-tls_max_version"]
|
298
|
+
===== `tls_max_version`
|
299
|
+
|
300
|
+
* Value type is <<number,number>>
|
301
|
+
* Default value is `1.2`
|
302
|
+
|
303
|
+
The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
|
304
|
+
1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
|
305
|
+
|
306
|
+
[id="plugins-{type}s-{plugin}-tls_min_version"]
|
307
|
+
===== `tls_min_version`
|
308
|
+
|
309
|
+
* Value type is <<number,number>>
|
310
|
+
* Default value is `1`
|
311
|
+
|
312
|
+
The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
|
313
|
+
1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
|
314
|
+
|
315
|
+
|
316
|
+
|
317
|
+
[id="plugins-{type}s-{plugin}-common-options"]
|
318
|
+
include::{include_path}/{type}.asciidoc[]
|
319
|
+
|
320
|
+
:default_codec!:
|
data/docs/index.asciidoc
CHANGED
@@ -92,7 +92,19 @@ This configuration results in daily index names like
|
|
92
92
|
When decoding `beats` events, this plugin adds two fields related to the event: the deprecated `host`
|
93
93
|
which contains the `hostname` provided by beats and the `ip_address` containing the remote address
|
94
94
|
of the client's connection. When <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> is
|
95
|
-
enabled these are now moved in ECS compatible namespace.
|
95
|
+
enabled these are now moved in ECS compatible namespace. Here's how <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> affects output.
|
96
|
+
|
97
|
+
[cols="<l,<l,e,<e"]
|
98
|
+
|=======================================================================
|
99
|
+
|ECS disabled |ECS v1 |Availability |Description
|
100
|
+
|
101
|
+
|[host] |[@metadata][input][beats][host][name] |Always |Name or address of the beat host
|
102
|
+
|[@metadata][ip_address] |[@metadata][input][beats][host][ip] |Always |IP address of the Beats client
|
103
|
+
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
|
104
|
+
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|
105
|
+
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|
106
|
+
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|
107
|
+
|=======================================================================
|
96
108
|
|
97
109
|
[id="plugins-{type}s-{plugin}-options"]
|
98
110
|
==== Beats Input Configuration Options
|
@@ -164,21 +176,7 @@ Close Idle clients after X seconds of inactivity.
|
|
164
176
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
165
177
|
** Otherwise, the default value is `disabled`.
|
166
178
|
|
167
|
-
|
168
|
-
The value of this setting affects the keys for the Beats connection's metadata on the event:
|
169
|
-
|
170
|
-
.Metadata Location by `ecs_compatibility` value
|
171
|
-
[cols="<l,<l,e,<e"]
|
172
|
-
|=======================================================================
|
173
|
-
|`disabled` |`v1` |Availability |Description
|
174
|
-
|
175
|
-
|[host] |[@metadata][input][beats][host][name] |Always |Name or address of the beat host
|
176
|
-
|[@metadata][ip_address] |[@metadata][input][beats][host][ip] |Always |IP address of the Beats client
|
177
|
-
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
|
178
|
-
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|
179
|
-
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|
180
|
-
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|
181
|
-
|=======================================================================
|
179
|
+
Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed information.
|
182
180
|
|
183
181
|
[id="plugins-{type}s-{plugin}-host"]
|
184
182
|
===== `host`
|
@@ -8,4 +8,4 @@ require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.10')
|
|
8
8
|
require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.10.4')
|
9
9
|
require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.10')
|
10
10
|
require_jar('org.apache.logging.log4j', 'log4j-api', '2.11.1')
|
11
|
-
require_jar('org.logstash.beats', 'logstash-input-beats', '6.1.
|
11
|
+
require_jar('org.logstash.beats', 'logstash-input-beats', '6.1.1')
|
@@ -44,7 +44,7 @@ describe LogStash::Inputs::Beats::DecodedEventTransform do
|
|
44
44
|
context "map contains a timestamp" do
|
45
45
|
context "when its valid" do
|
46
46
|
let(:timestamp) { Time.now }
|
47
|
-
let(:map) { super.merge({"@timestamp" => timestamp }) }
|
47
|
+
let(:map) { super().merge({"@timestamp" => timestamp }) }
|
48
48
|
|
49
49
|
it "uses as the event timestamp" do
|
50
50
|
expect(subject.get("@timestamp")).to eq(LogStash::Timestamp.coerce(timestamp))
|
@@ -52,7 +52,7 @@ describe LogStash::Inputs::Beats::DecodedEventTransform do
|
|
52
52
|
end
|
53
53
|
|
54
54
|
context "when its not valid" do
|
55
|
-
let(:map) { super.merge({"@timestamp" => "invalid" }) }
|
55
|
+
let(:map) { super().merge({"@timestamp" => "invalid" }) }
|
56
56
|
|
57
57
|
it "fallback the current time" do
|
58
58
|
expect(subject.get("@timestamp")).to be_kind_of(LogStash::Timestamp)
|
data/spec/inputs/beats_spec.rb
CHANGED
@@ -25,7 +25,7 @@ describe LogStash::Inputs::Beats do
|
|
25
25
|
|
26
26
|
context "#register" do
|
27
27
|
context "host related configuration" do
|
28
|
-
let(:config) { super.merge("host" => host, "port" => port, "client_inactivity_timeout" => client_inactivity_timeout, "executor_threads" => threads) }
|
28
|
+
let(:config) { super().merge("host" => host, "port" => port, "client_inactivity_timeout" => client_inactivity_timeout, "executor_threads" => threads) }
|
29
29
|
let(:host) { "192.168.1.20" }
|
30
30
|
let(:port) { 9000 }
|
31
31
|
let(:client_inactivity_timeout) { 400 }
|
@@ -76,7 +76,7 @@ describe LogStash::Inputs::Beats do
|
|
76
76
|
end
|
77
77
|
|
78
78
|
context "with invalid ciphers" do
|
79
|
-
let(:config) { super.merge("ssl" => true, "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
|
79
|
+
let(:config) { super().merge("ssl" => true, "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
|
80
80
|
|
81
81
|
it "should raise a configuration error" do
|
82
82
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -90,7 +90,7 @@ describe LogStash::Inputs::Beats do
|
|
90
90
|
|
91
91
|
context "verify_mode" do
|
92
92
|
context "verify_mode configured to PEER" do
|
93
|
-
let(:config) { super.merge("ssl" => true, "ssl_verify_mode" => "peer") }
|
93
|
+
let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "peer") }
|
94
94
|
|
95
95
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
96
96
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -105,7 +105,7 @@ describe LogStash::Inputs::Beats do
|
|
105
105
|
end
|
106
106
|
|
107
107
|
context "verify_mode configured to FORCE_PEER" do
|
108
|
-
let(:config) { super.merge("ssl" => true, "ssl_verify_mode" => "force_peer") }
|
108
|
+
let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "force_peer") }
|
109
109
|
|
110
110
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
111
111
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -154,7 +154,7 @@ describe LogStash::Inputs::Beats do
|
|
154
154
|
let(:codec) { LogStash::Codecs::Multiline.new("pattern" => '^2015',
|
155
155
|
"what" => "previous",
|
156
156
|
"negate" => true) }
|
157
|
-
let(:config) { super.merge({ "codec" => codec }) }
|
157
|
+
let(:config) { super().merge({ "codec" => codec }) }
|
158
158
|
|
159
159
|
it "raise a ConfigurationError when multiline codec is set" do
|
160
160
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -86,7 +86,7 @@ describe "Filebeat", :integration => true do
|
|
86
86
|
end
|
87
87
|
|
88
88
|
context "without pipelining" do
|
89
|
-
let(:filebeat_config) { config = super; config["output"]["logstash"]["pipelining"] = 0; config }
|
89
|
+
let(:filebeat_config) { config = super(); config["output"]["logstash"]["pipelining"] = 0; config }
|
90
90
|
include_examples "send events"
|
91
91
|
|
92
92
|
context "with large batches" do
|
@@ -99,7 +99,7 @@ describe "Filebeat", :integration => true do
|
|
99
99
|
context "TLS" do
|
100
100
|
context "Server verification" do
|
101
101
|
let(:filebeat_config) do
|
102
|
-
super.merge({
|
102
|
+
super().merge({
|
103
103
|
"output" => {
|
104
104
|
"logstash" => {
|
105
105
|
"hosts" => ["#{host}:#{port}"],
|
@@ -111,7 +111,7 @@ describe "Filebeat", :integration => true do
|
|
111
111
|
end
|
112
112
|
|
113
113
|
let(:input_config) do
|
114
|
-
super.merge({
|
114
|
+
super().merge({
|
115
115
|
"ssl" => true,
|
116
116
|
"ssl_certificate" => certificate_file,
|
117
117
|
"ssl_key" => certificate_key_file
|
@@ -129,7 +129,7 @@ describe "Filebeat", :integration => true do
|
|
129
129
|
|
130
130
|
context "when specifying a cipher" do
|
131
131
|
let(:filebeat_config) do
|
132
|
-
super.merge({
|
132
|
+
super().merge({
|
133
133
|
"output" => {
|
134
134
|
"logstash" => {
|
135
135
|
"hosts" => ["#{host}:#{port}"],
|
@@ -145,7 +145,7 @@ describe "Filebeat", :integration => true do
|
|
145
145
|
end
|
146
146
|
|
147
147
|
let(:input_config) {
|
148
|
-
super.merge({
|
148
|
+
super().merge({
|
149
149
|
"cipher_suites" => [logstash_cipher],
|
150
150
|
"tls_min_version" => "1.2"
|
151
151
|
})
|
@@ -194,7 +194,7 @@ describe "Filebeat", :integration => true do
|
|
194
194
|
LogStash::Inputs::Beats.new(input_config)
|
195
195
|
}
|
196
196
|
let(:input_config) {
|
197
|
-
super.merge({
|
197
|
+
super().merge({
|
198
198
|
"ssl_key_passphrase" => passphrase,
|
199
199
|
"ssl_key" => certificate_key_file_pkcs8
|
200
200
|
})}
|
@@ -229,7 +229,7 @@ describe "Filebeat", :integration => true do
|
|
229
229
|
|
230
230
|
context "Client verification / Mutual validation" do
|
231
231
|
let(:filebeat_config) do
|
232
|
-
super.merge({
|
232
|
+
super().merge({
|
233
233
|
"output" => {
|
234
234
|
"logstash" => {
|
235
235
|
"hosts" => ["#{host}:#{port}"],
|
@@ -245,7 +245,7 @@ describe "Filebeat", :integration => true do
|
|
245
245
|
end
|
246
246
|
|
247
247
|
let(:input_config) do
|
248
|
-
super.merge({
|
248
|
+
super().merge({
|
249
249
|
"ssl" => true,
|
250
250
|
"ssl_certificate_authorities" => certificate_authorities,
|
251
251
|
"ssl_certificate" => server_certificate_file,
|
@@ -327,7 +327,7 @@ describe "Filebeat", :integration => true do
|
|
327
327
|
|
328
328
|
context "client from secondary CA" do
|
329
329
|
let(:filebeat_config) do
|
330
|
-
super.merge({
|
330
|
+
super().merge({
|
331
331
|
"output" => {
|
332
332
|
"logstash" => {
|
333
333
|
"hosts" => ["#{host}:#{port}"],
|
@@ -74,7 +74,7 @@ describe "Logstash-Forwarder", :integration => true do
|
|
74
74
|
context "TLS" do
|
75
75
|
context "Server Verification" do
|
76
76
|
let(:input_config) do
|
77
|
-
super.merge({
|
77
|
+
super().merge({
|
78
78
|
"ssl" => true,
|
79
79
|
"ssl_certificate" => certificate_file,
|
80
80
|
"ssl_key" => certificate_key_file,
|
@@ -32,12 +32,12 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
32
32
|
end
|
33
33
|
|
34
34
|
context 'when add_hostname is true' do
|
35
|
-
let(:config) { super.merge({'add_hostname' => true, 'ecs_compatibility' => ecs_compatibility})}
|
35
|
+
let(:config) { super().merge({'add_hostname' => true, 'ecs_compatibility' => ecs_compatibility})}
|
36
36
|
|
37
37
|
context 'when a host is provided in beat.host.name' do
|
38
38
|
let(:already_exist) { "already_exist" }
|
39
39
|
let(:producer_host) { "newhost01" }
|
40
|
-
let(:event_map) { super.merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
40
|
+
let(:event_map) { super().merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
41
41
|
|
42
42
|
context "when no `host` key already exists on the event" do
|
43
43
|
it "does not set the host value" do
|
@@ -47,7 +47,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
47
47
|
|
48
48
|
context "when `host` key exists on the event" do
|
49
49
|
let(:already_exist) { "already_exist" }
|
50
|
-
let(:event_map) { super.merge({ "host" => already_exist }) }
|
50
|
+
let(:event_map) { super().merge({ "host" => already_exist }) }
|
51
51
|
|
52
52
|
it "doesn't override it" do
|
53
53
|
expect(subject.get("host")).to eq(already_exist)
|
@@ -57,7 +57,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
57
57
|
|
58
58
|
context "when a host is set in `beat.hostname`" do
|
59
59
|
let(:producer_host) { "newhost01" }
|
60
|
-
let(:event_map) { super.merge({ "beat" => { "hostname" => producer_host }}) }
|
60
|
+
let(:event_map) { super().merge({ "beat" => { "hostname" => producer_host }}) }
|
61
61
|
|
62
62
|
context "when no `#{host_field_name}` key already exists on the event" do
|
63
63
|
it "copies the value in `beat.hostname` to `#{host_field_name}`" do
|
@@ -67,7 +67,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
67
67
|
|
68
68
|
context "when `#{host_field_name}` key exists on the event" do
|
69
69
|
let(:already_exist) { "already_exist" }
|
70
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
70
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
71
71
|
|
72
72
|
it "doesn't override it" do
|
73
73
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -84,7 +84,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
84
84
|
|
85
85
|
context "when `#{host_field_name}` key already exists on the event" do
|
86
86
|
let(:already_exist) { "already_exist" }
|
87
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
87
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
88
88
|
|
89
89
|
it "doesn't override it" do
|
90
90
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -94,12 +94,12 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
94
94
|
end
|
95
95
|
|
96
96
|
context 'when add hostname is false' do
|
97
|
-
let(:config) { super.merge({'add_hostname' => false})}
|
97
|
+
let(:config) { super().merge({'add_hostname' => false})}
|
98
98
|
|
99
99
|
context 'when a host is provided in beat.host.name' do
|
100
100
|
let(:already_exist) { "already_exist" }
|
101
101
|
let(:producer_host) { "newhost01" }
|
102
|
-
let(:event_map) { super.merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
102
|
+
let(:event_map) { super().merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
103
103
|
|
104
104
|
context "when no `#{host_field_name}` key already exists on the event" do
|
105
105
|
it "does not set the host" do
|
@@ -109,7 +109,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
109
109
|
|
110
110
|
context "when `#{host_field_name}` key already exists on the event" do
|
111
111
|
let(:already_exist) { "already_exist" }
|
112
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
112
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
113
113
|
|
114
114
|
it "doesn't override it" do
|
115
115
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -119,7 +119,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
119
119
|
|
120
120
|
context "when a host is provided in `beat.hostname`" do
|
121
121
|
let(:producer_host) { "newhost01" }
|
122
|
-
let(:event_map) { super.merge({ "beat" => { "hostname" => producer_host }}) }
|
122
|
+
let(:event_map) { super().merge({ "beat" => { "hostname" => producer_host }}) }
|
123
123
|
|
124
124
|
context "when no `#{host_field_name}` key already exists on the event" do
|
125
125
|
it "does not set the host" do
|
@@ -129,7 +129,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
129
129
|
|
130
130
|
context "when `host` key already exists on the event" do
|
131
131
|
let(:already_exist) { "already_exist" }
|
132
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
132
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
133
133
|
|
134
134
|
it "doesn't override it" do
|
135
135
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -146,7 +146,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
146
146
|
|
147
147
|
context "when `#{host_field_name}` key already exists on the event" do
|
148
148
|
let(:already_exist) { "already_exist" }
|
149
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
149
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
150
150
|
|
151
151
|
it "doesn't override it" do
|
152
152
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
Binary file
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-beats
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.1
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-03-30 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -248,6 +248,7 @@ files:
|
|
248
248
|
- PROTOCOL.md
|
249
249
|
- README.md
|
250
250
|
- VERSION
|
251
|
+
- docs/agent.asciidoc
|
251
252
|
- docs/index.asciidoc
|
252
253
|
- lib/logstash-input-beats_jars.rb
|
253
254
|
- lib/logstash/inputs/beats.rb
|
@@ -285,7 +286,7 @@ files:
|
|
285
286
|
- vendor/jar-dependencies/io/netty/netty-all/4.1.49.Final/netty-all-4.1.49.Final.jar
|
286
287
|
- vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.11.1.jar
|
287
288
|
- vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
|
288
|
-
- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.1.
|
289
|
+
- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.1.1/logstash-input-beats-6.1.1.jar
|
289
290
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
290
291
|
licenses:
|
291
292
|
- Apache License (2.0)
|