logstash-input-beats 6.1.0-java → 6.1.1-java
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -3
- data/VERSION +1 -1
- data/docs/agent.asciidoc +320 -0
- data/docs/index.asciidoc +14 -16
- data/lib/logstash-input-beats_jars.rb +1 -1
- data/spec/inputs/beats/decoded_event_transform_spec.rb +2 -2
- data/spec/inputs/beats_spec.rb +5 -5
- data/spec/integration/filebeat_spec.rb +9 -9
- data/spec/integration/logstash_forwarder_spec.rb +1 -1
- data/spec/support/shared_examples.rb +12 -12
- data/vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/{6.1.0/logstash-input-beats-6.1.0.jar → 6.1.1/logstash-input-beats-6.1.1.jar} +0 -0
- metadata +4 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6def71232c684cd74e5be5913809fbfa34a5922f600e433174ebe323525d7936
|
4
|
+
data.tar.gz: 27f0ebc4bd488cc3ccd64cec8a64194eae87484f6af55d02a00fae95dcaae45c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 10b2fdc15611ca30aaba8fafb79b53588188788a96ca6a906fbef53c2c9d6f950e56ba53e0c961c1edb09c3d85a70f91f4b58b7979cf9b77f9894e25220e1733
|
7
|
+
data.tar.gz: dfc2a89ffba6de5955d2bfd6c8c0862d5d594d4762a4a608da64d85017e0b46086bc0028b3c89717d19839a36c7261348ab498123f2caa313e060ee7ffe2811a
|
data/CHANGELOG.md
CHANGED
@@ -1,7 +1,10 @@
|
|
1
|
+
## 6.1.1
|
2
|
+
- [DOC] Enhanced ECS compatibility information for ease of use and readability
|
3
|
+
[#413](https://github.com/logstash-plugins/logstash-input-beats/pull/413)
|
4
|
+
|
1
5
|
## 6.1.0
|
2
|
-
- ECS compatibility enablement
|
3
|
-
|
4
|
-
`host` and `@metadata.ip_address` event fields. [404](https://github.com/logstash-plugins/logstash-input-beats/pull/404)
|
6
|
+
- ECS compatibility enablement. Adds `ecs_compatibility` setting to declare the level of ECS compatibility (`disabled` or `v1`) at plugin level. When `disabled`, the plugin behaves like before, while `v1` does a rename of
|
7
|
+
`host` and `@metadata.ip_address` event fields. [#404](https://github.com/logstash-plugins/logstash-input-beats/pull/404)
|
5
8
|
|
6
9
|
## 6.0.14
|
7
10
|
- Feat: log + unwrap generic SSL context exceptions [#405](https://github.com/logstash-plugins/logstash-input-beats/pull/405)
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
6.1.
|
1
|
+
6.1.1
|
data/docs/agent.asciidoc
ADDED
@@ -0,0 +1,320 @@
|
|
1
|
+
:plugin: agent
|
2
|
+
:type: input
|
3
|
+
:default_codec: plain
|
4
|
+
|
5
|
+
///////////////////////////////////////////
|
6
|
+
START - GENERATED VARIABLES, DO NOT EDIT!
|
7
|
+
///////////////////////////////////////////
|
8
|
+
|
9
|
+
// Copied from Beats generated plugin output.
|
10
|
+
// Not actively generated at this time!
|
11
|
+
|
12
|
+
////
|
13
|
+
:version: %VERSION%
|
14
|
+
:release_date: %RELEASE_DATE%
|
15
|
+
:changelog_url: %CHANGELOG_URL%
|
16
|
+
:include_path: ../../../../logstash/docs/include
|
17
|
+
////
|
18
|
+
|
19
|
+
///////////////////////////////////////////
|
20
|
+
END - GENERATED VARIABLES, DO NOT EDIT!
|
21
|
+
///////////////////////////////////////////
|
22
|
+
|
23
|
+
[id="plugins-{type}s-{plugin}"]
|
24
|
+
|
25
|
+
=== Agent input plugin
|
26
|
+
|
27
|
+
include::{include_path}/plugin_header.asciidoc[]
|
28
|
+
|
29
|
+
==== Description
|
30
|
+
|
31
|
+
This input plugin enables Logstash to receive events from the
|
32
|
+
https://www.elastic.co/products/beats[Elastic Beats] framework.
|
33
|
+
|
34
|
+
The following example shows how to configure Logstash to listen on port
|
35
|
+
5044 for incoming Beats connections and to index into Elasticsearch.
|
36
|
+
|
37
|
+
[source,logstash]
|
38
|
+
-----
|
39
|
+
|
40
|
+
input {
|
41
|
+
beats {
|
42
|
+
port => 5044
|
43
|
+
}
|
44
|
+
}
|
45
|
+
|
46
|
+
output {
|
47
|
+
elasticsearch {
|
48
|
+
hosts => ["http://localhost:9200"]
|
49
|
+
index => "%{[@metadata][beat]}-%{[@metadata][version]}" <1>
|
50
|
+
}
|
51
|
+
}
|
52
|
+
-----
|
53
|
+
<1> `%{[@metadata][beat]}` sets the first part of the index name to the value
|
54
|
+
of the `beat` metadata field and `%{[@metadata][version]}` sets the second part to
|
55
|
+
the Beat's version. For example:
|
56
|
+
metricbeat-7.4.0.
|
57
|
+
|
58
|
+
Events indexed into Elasticsearch with the Logstash configuration shown here
|
59
|
+
will be similar to events directly indexed by Beats into Elasticsearch.
|
60
|
+
|
61
|
+
NOTE: If ILM is not being used, set `index` to
|
62
|
+
`%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}` instead so
|
63
|
+
Logstash creates an index per day, based on the `@timestamp` value of the events
|
64
|
+
coming from Beats.
|
65
|
+
|
66
|
+
IMPORTANT: If you are shipping events that span multiple lines, you need to use
|
67
|
+
the {filebeat-ref}/multiline-examples.html[configuration options available in
|
68
|
+
Filebeat] to handle multiline events before sending the event data to Logstash.
|
69
|
+
You cannot use the {logstash-ref}/plugins-codecs-multiline.html[Multiline codec
|
70
|
+
plugin] to handle multiline events. Doing so will result in the failure to start
|
71
|
+
Logstash.
|
72
|
+
|
73
|
+
[id="plugins-{type}s-{plugin}-versioned-indexes"]
|
74
|
+
==== Versioned Beats Indices
|
75
|
+
|
76
|
+
To minimize the impact of future schema changes on your existing indices and
|
77
|
+
mappings in Elasticsearch, configure the Elasticsearch output to write to
|
78
|
+
versioned indices. The pattern that you specify for the `index` setting
|
79
|
+
controls the index name:
|
80
|
+
|
81
|
+
[source,yaml]
|
82
|
+
----
|
83
|
+
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
|
84
|
+
----
|
85
|
+
|
86
|
+
`%{[@metadata][beat]}`:: Sets the first part of the index name to the value of
|
87
|
+
the `beat` metadata field, for example, `filebeat`.
|
88
|
+
`%{[@metadata][version]}`:: Sets the second part of the name to the Beat
|
89
|
+
version, for example, +{logstash_version}+.
|
90
|
+
`%{+YYYY.MM.dd}`:: Sets the third part of the name to a date based on the
|
91
|
+
Logstash `@timestamp` field.
|
92
|
+
|
93
|
+
This configuration results in daily index names like
|
94
|
+
+filebeat-{logstash_version}-{localdate}+.
|
95
|
+
|
96
|
+
|
97
|
+
[id="plugins-{type}s-{plugin}-ecs_metadata"]
|
98
|
+
==== Event Metadata and the Elastic Common Schema (ECS)
|
99
|
+
When decoding `beats` events, this plugin adds two fields related to the event: the deprecated `host`
|
100
|
+
which contains the `hostname` provided by beats and the `ip_address` containing the remote address
|
101
|
+
of the client's connection. When <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> is
|
102
|
+
enabled these are now moved in ECS compatible namespace.
|
103
|
+
|
104
|
+
[id="plugins-{type}s-{plugin}-options"]
|
105
|
+
==== Agent Input Configuration Options
|
106
|
+
|
107
|
+
This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
|
108
|
+
|
109
|
+
[cols="<,<,<",options="header",]
|
110
|
+
|=======================================================================
|
111
|
+
|Setting |Input type|Required
|
112
|
+
| <<plugins-{type}s-{plugin}-add_hostname>> |<<boolean,boolean>>|No
|
113
|
+
| <<plugins-{type}s-{plugin}-cipher_suites>> |<<array,array>>|No
|
114
|
+
| <<plugins-{type}s-{plugin}-client_inactivity_timeout>> |<<number,number>>|No
|
115
|
+
| <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
|
116
|
+
| <<plugins-{type}s-{plugin}-host>> |<<string,string>>|No
|
117
|
+
| <<plugins-{type}s-{plugin}-include_codec_tag>> |<<boolean,boolean>>|No
|
118
|
+
| <<plugins-{type}s-{plugin}-port>> |<<number,number>>|Yes
|
119
|
+
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
|
120
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate>> |a valid filesystem path|No
|
121
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |<<array,array>>|No
|
122
|
+
| <<plugins-{type}s-{plugin}-ssl_handshake_timeout>> |<<number,number>>|No
|
123
|
+
| <<plugins-{type}s-{plugin}-ssl_key>> |a valid filesystem path|No
|
124
|
+
| <<plugins-{type}s-{plugin}-ssl_key_passphrase>> |<<password,password>>|No
|
125
|
+
| <<plugins-{type}s-{plugin}-ssl_verify_mode>> |<<string,string>>, one of `["none", "peer", "force_peer"]`|No
|
126
|
+
| <<plugins-{type}s-{plugin}-ssl_peer_metadata>> |<<boolean,boolean>>|No
|
127
|
+
| <<plugins-{type}s-{plugin}-tls_max_version>> |<<number,number>>|No
|
128
|
+
| <<plugins-{type}s-{plugin}-tls_min_version>> |<<number,number>>|No
|
129
|
+
|=======================================================================
|
130
|
+
|
131
|
+
Also see <<plugins-{type}s-{plugin}-common-options>> for a list of options supported by all
|
132
|
+
input plugins.
|
133
|
+
|
134
|
+
|
135
|
+
|
136
|
+
[id="plugins-{type}s-{plugin}-add_hostname"]
|
137
|
+
===== `add_hostname`
|
138
|
+
|
139
|
+
deprecated[6.0.0, The default value has been changed to `false`. In 7.0.0 this setting will be removed]
|
140
|
+
|
141
|
+
* Value type is <<boolean,boolean>>
|
142
|
+
* Default value is `false`
|
143
|
+
|
144
|
+
Flag to determine whether to add `host` field to event using the value supplied by the beat in the `hostname` field.
|
145
|
+
|
146
|
+
|
147
|
+
[id="plugins-{type}s-{plugin}-cipher_suites"]
|
148
|
+
===== `cipher_suites`
|
149
|
+
|
150
|
+
* Value type is <<array,array>>
|
151
|
+
* Default value is `java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca`
|
152
|
+
|
153
|
+
The list of ciphers suite to use, listed by priorities.
|
154
|
+
|
155
|
+
[id="plugins-{type}s-{plugin}-client_inactivity_timeout"]
|
156
|
+
===== `client_inactivity_timeout`
|
157
|
+
|
158
|
+
* Value type is <<number,number>>
|
159
|
+
* Default value is `60`
|
160
|
+
|
161
|
+
Close Idle clients after X seconds of inactivity.
|
162
|
+
|
163
|
+
[id="plugins-{type}s-{plugin}-ecs_compatibility"]
|
164
|
+
===== `ecs_compatibility`
|
165
|
+
|
166
|
+
* Value type is <<string,string>>
|
167
|
+
* Supported values are:
|
168
|
+
** `disabled`: unstructured connection metadata added at root level
|
169
|
+
** `v1`: structured connection metadata added under ECS compliant namespaces
|
170
|
+
* Default value depends on which version of Logstash is running:
|
171
|
+
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
172
|
+
** Otherwise, the default value is `disabled`.
|
173
|
+
|
174
|
+
Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema (ECS)].
|
175
|
+
The value of this setting affects the keys for the Beats connection's metadata on the event:
|
176
|
+
|
177
|
+
.Metadata Location by `ecs_compatibility` value
|
178
|
+
[cols="<l,<l,e,<e"]
|
179
|
+
|=======================================================================
|
180
|
+
|`disabled` |`v1` |Availability |Description
|
181
|
+
|
182
|
+
|[host] |[@metadata][input][beats][host][name] |Always |Name or address of the beat host
|
183
|
+
|[@metadata][ip_address] |[@metadata][input][beats][host][ip] |Always |IP address of the Beats client
|
184
|
+
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
|
185
|
+
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|
186
|
+
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|
187
|
+
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|
188
|
+
|=======================================================================
|
189
|
+
|
190
|
+
[id="plugins-{type}s-{plugin}-host"]
|
191
|
+
===== `host`
|
192
|
+
|
193
|
+
* Value type is <<string,string>>
|
194
|
+
* Default value is `"0.0.0.0"`
|
195
|
+
|
196
|
+
The IP address to listen on.
|
197
|
+
|
198
|
+
[id="plugins-{type}s-{plugin}-include_codec_tag"]
|
199
|
+
===== `include_codec_tag`
|
200
|
+
|
201
|
+
* Value type is <<boolean,boolean>>
|
202
|
+
* Default value is `true`
|
203
|
+
|
204
|
+
|
205
|
+
|
206
|
+
[id="plugins-{type}s-{plugin}-port"]
|
207
|
+
===== `port`
|
208
|
+
|
209
|
+
* This is a required setting.
|
210
|
+
* Value type is <<number,number>>
|
211
|
+
* There is no default value for this setting.
|
212
|
+
|
213
|
+
The port to listen on.
|
214
|
+
|
215
|
+
[id="plugins-{type}s-{plugin}-ssl"]
|
216
|
+
===== `ssl`
|
217
|
+
|
218
|
+
* Value type is <<boolean,boolean>>
|
219
|
+
* Default value is `false`
|
220
|
+
|
221
|
+
Events are by default sent in plain text. You can
|
222
|
+
enable encryption by setting `ssl` to true and configuring
|
223
|
+
the `ssl_certificate` and `ssl_key` options.
|
224
|
+
|
225
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate"]
|
226
|
+
===== `ssl_certificate`
|
227
|
+
|
228
|
+
* Value type is <<path,path>>
|
229
|
+
* There is no default value for this setting.
|
230
|
+
|
231
|
+
SSL certificate to use.
|
232
|
+
|
233
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
|
234
|
+
===== `ssl_certificate_authorities`
|
235
|
+
|
236
|
+
* Value type is <<array,array>>
|
237
|
+
* Default value is `[]`
|
238
|
+
|
239
|
+
Validate client certificates against these authorities.
|
240
|
+
You can define multiple files or paths. All the certificates will
|
241
|
+
be read and added to the trust store. You need to configure the `ssl_verify_mode`
|
242
|
+
to `peer` or `force_peer` to enable the verification.
|
243
|
+
|
244
|
+
|
245
|
+
[id="plugins-{type}s-{plugin}-ssl_handshake_timeout"]
|
246
|
+
===== `ssl_handshake_timeout`
|
247
|
+
|
248
|
+
* Value type is <<number,number>>
|
249
|
+
* Default value is `10000`
|
250
|
+
|
251
|
+
Time in milliseconds for an incomplete ssl handshake to timeout
|
252
|
+
|
253
|
+
[id="plugins-{type}s-{plugin}-ssl_key"]
|
254
|
+
===== `ssl_key`
|
255
|
+
|
256
|
+
* Value type is <<path,path>>
|
257
|
+
* There is no default value for this setting.
|
258
|
+
|
259
|
+
SSL key to use.
|
260
|
+
NOTE: This key need to be in the PKCS8 format, you can convert it with https://www.openssl.org/docs/man1.1.0/apps/pkcs8.html[OpenSSL]
|
261
|
+
for more information.
|
262
|
+
|
263
|
+
[id="plugins-{type}s-{plugin}-ssl_key_passphrase"]
|
264
|
+
===== `ssl_key_passphrase`
|
265
|
+
|
266
|
+
* Value type is <<password,password>>
|
267
|
+
* There is no default value for this setting.
|
268
|
+
|
269
|
+
SSL key passphrase to use.
|
270
|
+
|
271
|
+
[id="plugins-{type}s-{plugin}-ssl_verify_mode"]
|
272
|
+
===== `ssl_verify_mode`
|
273
|
+
|
274
|
+
* Value can be any of: `none`, `peer`, `force_peer`
|
275
|
+
* Default value is `"none"`
|
276
|
+
|
277
|
+
By default the server doesn't do any client verification.
|
278
|
+
|
279
|
+
`peer` will make the server ask the client to provide a certificate.
|
280
|
+
If the client provides a certificate, it will be validated.
|
281
|
+
|
282
|
+
`force_peer` will make the server ask the client to provide a certificate.
|
283
|
+
If the client doesn't provide a certificate, the connection will be closed.
|
284
|
+
|
285
|
+
This option needs to be used with `ssl_certificate_authorities` and a defined list of CAs.
|
286
|
+
|
287
|
+
[id="plugins-{type}s-{plugin}-ssl_peer_metadata"]
|
288
|
+
===== `ssl_peer_metadata`
|
289
|
+
|
290
|
+
* Value type is <<boolean,boolean>>
|
291
|
+
* Default value is `false`
|
292
|
+
|
293
|
+
Enables storing client certificate information in event's metadata.
|
294
|
+
|
295
|
+
This option is only valid when `ssl_verify_mode` is set to `peer` or `force_peer`.
|
296
|
+
|
297
|
+
[id="plugins-{type}s-{plugin}-tls_max_version"]
|
298
|
+
===== `tls_max_version`
|
299
|
+
|
300
|
+
* Value type is <<number,number>>
|
301
|
+
* Default value is `1.2`
|
302
|
+
|
303
|
+
The maximum TLS version allowed for the encrypted connections. The value must be the one of the following:
|
304
|
+
1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
|
305
|
+
|
306
|
+
[id="plugins-{type}s-{plugin}-tls_min_version"]
|
307
|
+
===== `tls_min_version`
|
308
|
+
|
309
|
+
* Value type is <<number,number>>
|
310
|
+
* Default value is `1`
|
311
|
+
|
312
|
+
The minimum TLS version allowed for the encrypted connections. The value must be one of the following:
|
313
|
+
1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2
|
314
|
+
|
315
|
+
|
316
|
+
|
317
|
+
[id="plugins-{type}s-{plugin}-common-options"]
|
318
|
+
include::{include_path}/{type}.asciidoc[]
|
319
|
+
|
320
|
+
:default_codec!:
|
data/docs/index.asciidoc
CHANGED
@@ -92,7 +92,19 @@ This configuration results in daily index names like
|
|
92
92
|
When decoding `beats` events, this plugin adds two fields related to the event: the deprecated `host`
|
93
93
|
which contains the `hostname` provided by beats and the `ip_address` containing the remote address
|
94
94
|
of the client's connection. When <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> is
|
95
|
-
enabled these are now moved in ECS compatible namespace.
|
95
|
+
enabled these are now moved in ECS compatible namespace. Here's how <<plugins-{type}s-{plugin}-ecs_compatibility,ECS compatibility mode>> affects output.
|
96
|
+
|
97
|
+
[cols="<l,<l,e,<e"]
|
98
|
+
|=======================================================================
|
99
|
+
|ECS disabled |ECS v1 |Availability |Description
|
100
|
+
|
101
|
+
|[host] |[@metadata][input][beats][host][name] |Always |Name or address of the beat host
|
102
|
+
|[@metadata][ip_address] |[@metadata][input][beats][host][ip] |Always |IP address of the Beats client
|
103
|
+
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
|
104
|
+
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|
105
|
+
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|
106
|
+
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|
107
|
+
|=======================================================================
|
96
108
|
|
97
109
|
[id="plugins-{type}s-{plugin}-options"]
|
98
110
|
==== Beats Input Configuration Options
|
@@ -164,21 +176,7 @@ Close Idle clients after X seconds of inactivity.
|
|
164
176
|
** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
|
165
177
|
** Otherwise, the default value is `disabled`.
|
166
178
|
|
167
|
-
|
168
|
-
The value of this setting affects the keys for the Beats connection's metadata on the event:
|
169
|
-
|
170
|
-
.Metadata Location by `ecs_compatibility` value
|
171
|
-
[cols="<l,<l,e,<e"]
|
172
|
-
|=======================================================================
|
173
|
-
|`disabled` |`v1` |Availability |Description
|
174
|
-
|
175
|
-
|[host] |[@metadata][input][beats][host][name] |Always |Name or address of the beat host
|
176
|
-
|[@metadata][ip_address] |[@metadata][input][beats][host][ip] |Always |IP address of the Beats client
|
177
|
-
|[@metadata][tls_peer][status] | [@metadata][tls_peer][status] | When SSL related fields are populated | Contains "verified"/"unverified" labels in `disabled`, `true`/`false` in `v1`
|
178
|
-
|[@metadata][tls_peer][protocol] | [@metadata][input][beats][tls][version_protocol] | When SSL status is "verified" | Contains the TLS version used (e.g. `TLSv1.2`)
|
179
|
-
|[@metadata][tls_peer][subject] | [@metadata][input][beats][tls][client][subject] | When SSL status is "verified" | Contains the identity name of the remote end (e.g. `CN=artifacts-no-kpi.elastic.co`)
|
180
|
-
|[@metadata][tls_peer][cipher_suite] | [@metadata][input][beats][tls][cipher] | When SSL status is "verified" | Contains the name of cipher suite used (e.g. `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`)
|
181
|
-
|=======================================================================
|
179
|
+
Refer to <<plugins-{type}s-{plugin}-ecs_metadata,ECS mapping>> for detailed information.
|
182
180
|
|
183
181
|
[id="plugins-{type}s-{plugin}-host"]
|
184
182
|
===== `host`
|
@@ -8,4 +8,4 @@ require_jar('com.fasterxml.jackson.core', 'jackson-annotations', '2.9.10')
|
|
8
8
|
require_jar('com.fasterxml.jackson.core', 'jackson-databind', '2.9.10.4')
|
9
9
|
require_jar('com.fasterxml.jackson.module', 'jackson-module-afterburner', '2.9.10')
|
10
10
|
require_jar('org.apache.logging.log4j', 'log4j-api', '2.11.1')
|
11
|
-
require_jar('org.logstash.beats', 'logstash-input-beats', '6.1.
|
11
|
+
require_jar('org.logstash.beats', 'logstash-input-beats', '6.1.1')
|
@@ -44,7 +44,7 @@ describe LogStash::Inputs::Beats::DecodedEventTransform do
|
|
44
44
|
context "map contains a timestamp" do
|
45
45
|
context "when its valid" do
|
46
46
|
let(:timestamp) { Time.now }
|
47
|
-
let(:map) { super.merge({"@timestamp" => timestamp }) }
|
47
|
+
let(:map) { super().merge({"@timestamp" => timestamp }) }
|
48
48
|
|
49
49
|
it "uses as the event timestamp" do
|
50
50
|
expect(subject.get("@timestamp")).to eq(LogStash::Timestamp.coerce(timestamp))
|
@@ -52,7 +52,7 @@ describe LogStash::Inputs::Beats::DecodedEventTransform do
|
|
52
52
|
end
|
53
53
|
|
54
54
|
context "when its not valid" do
|
55
|
-
let(:map) { super.merge({"@timestamp" => "invalid" }) }
|
55
|
+
let(:map) { super().merge({"@timestamp" => "invalid" }) }
|
56
56
|
|
57
57
|
it "fallback the current time" do
|
58
58
|
expect(subject.get("@timestamp")).to be_kind_of(LogStash::Timestamp)
|
data/spec/inputs/beats_spec.rb
CHANGED
@@ -25,7 +25,7 @@ describe LogStash::Inputs::Beats do
|
|
25
25
|
|
26
26
|
context "#register" do
|
27
27
|
context "host related configuration" do
|
28
|
-
let(:config) { super.merge("host" => host, "port" => port, "client_inactivity_timeout" => client_inactivity_timeout, "executor_threads" => threads) }
|
28
|
+
let(:config) { super().merge("host" => host, "port" => port, "client_inactivity_timeout" => client_inactivity_timeout, "executor_threads" => threads) }
|
29
29
|
let(:host) { "192.168.1.20" }
|
30
30
|
let(:port) { 9000 }
|
31
31
|
let(:client_inactivity_timeout) { 400 }
|
@@ -76,7 +76,7 @@ describe LogStash::Inputs::Beats do
|
|
76
76
|
end
|
77
77
|
|
78
78
|
context "with invalid ciphers" do
|
79
|
-
let(:config) { super.merge("ssl" => true, "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
|
79
|
+
let(:config) { super().merge("ssl" => true, "cipher_suites" => "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38") }
|
80
80
|
|
81
81
|
it "should raise a configuration error" do
|
82
82
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -90,7 +90,7 @@ describe LogStash::Inputs::Beats do
|
|
90
90
|
|
91
91
|
context "verify_mode" do
|
92
92
|
context "verify_mode configured to PEER" do
|
93
|
-
let(:config) { super.merge("ssl" => true, "ssl_verify_mode" => "peer") }
|
93
|
+
let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "peer") }
|
94
94
|
|
95
95
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
96
96
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -105,7 +105,7 @@ describe LogStash::Inputs::Beats do
|
|
105
105
|
end
|
106
106
|
|
107
107
|
context "verify_mode configured to FORCE_PEER" do
|
108
|
-
let(:config) { super.merge("ssl" => true, "ssl_verify_mode" => "force_peer") }
|
108
|
+
let(:config) { super().merge("ssl" => true, "ssl_verify_mode" => "force_peer") }
|
109
109
|
|
110
110
|
it "raise a ConfigurationError when certificate_authorities is not set" do
|
111
111
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -154,7 +154,7 @@ describe LogStash::Inputs::Beats do
|
|
154
154
|
let(:codec) { LogStash::Codecs::Multiline.new("pattern" => '^2015',
|
155
155
|
"what" => "previous",
|
156
156
|
"negate" => true) }
|
157
|
-
let(:config) { super.merge({ "codec" => codec }) }
|
157
|
+
let(:config) { super().merge({ "codec" => codec }) }
|
158
158
|
|
159
159
|
it "raise a ConfigurationError when multiline codec is set" do
|
160
160
|
plugin = LogStash::Inputs::Beats.new(config)
|
@@ -86,7 +86,7 @@ describe "Filebeat", :integration => true do
|
|
86
86
|
end
|
87
87
|
|
88
88
|
context "without pipelining" do
|
89
|
-
let(:filebeat_config) { config = super; config["output"]["logstash"]["pipelining"] = 0; config }
|
89
|
+
let(:filebeat_config) { config = super(); config["output"]["logstash"]["pipelining"] = 0; config }
|
90
90
|
include_examples "send events"
|
91
91
|
|
92
92
|
context "with large batches" do
|
@@ -99,7 +99,7 @@ describe "Filebeat", :integration => true do
|
|
99
99
|
context "TLS" do
|
100
100
|
context "Server verification" do
|
101
101
|
let(:filebeat_config) do
|
102
|
-
super.merge({
|
102
|
+
super().merge({
|
103
103
|
"output" => {
|
104
104
|
"logstash" => {
|
105
105
|
"hosts" => ["#{host}:#{port}"],
|
@@ -111,7 +111,7 @@ describe "Filebeat", :integration => true do
|
|
111
111
|
end
|
112
112
|
|
113
113
|
let(:input_config) do
|
114
|
-
super.merge({
|
114
|
+
super().merge({
|
115
115
|
"ssl" => true,
|
116
116
|
"ssl_certificate" => certificate_file,
|
117
117
|
"ssl_key" => certificate_key_file
|
@@ -129,7 +129,7 @@ describe "Filebeat", :integration => true do
|
|
129
129
|
|
130
130
|
context "when specifying a cipher" do
|
131
131
|
let(:filebeat_config) do
|
132
|
-
super.merge({
|
132
|
+
super().merge({
|
133
133
|
"output" => {
|
134
134
|
"logstash" => {
|
135
135
|
"hosts" => ["#{host}:#{port}"],
|
@@ -145,7 +145,7 @@ describe "Filebeat", :integration => true do
|
|
145
145
|
end
|
146
146
|
|
147
147
|
let(:input_config) {
|
148
|
-
super.merge({
|
148
|
+
super().merge({
|
149
149
|
"cipher_suites" => [logstash_cipher],
|
150
150
|
"tls_min_version" => "1.2"
|
151
151
|
})
|
@@ -194,7 +194,7 @@ describe "Filebeat", :integration => true do
|
|
194
194
|
LogStash::Inputs::Beats.new(input_config)
|
195
195
|
}
|
196
196
|
let(:input_config) {
|
197
|
-
super.merge({
|
197
|
+
super().merge({
|
198
198
|
"ssl_key_passphrase" => passphrase,
|
199
199
|
"ssl_key" => certificate_key_file_pkcs8
|
200
200
|
})}
|
@@ -229,7 +229,7 @@ describe "Filebeat", :integration => true do
|
|
229
229
|
|
230
230
|
context "Client verification / Mutual validation" do
|
231
231
|
let(:filebeat_config) do
|
232
|
-
super.merge({
|
232
|
+
super().merge({
|
233
233
|
"output" => {
|
234
234
|
"logstash" => {
|
235
235
|
"hosts" => ["#{host}:#{port}"],
|
@@ -245,7 +245,7 @@ describe "Filebeat", :integration => true do
|
|
245
245
|
end
|
246
246
|
|
247
247
|
let(:input_config) do
|
248
|
-
super.merge({
|
248
|
+
super().merge({
|
249
249
|
"ssl" => true,
|
250
250
|
"ssl_certificate_authorities" => certificate_authorities,
|
251
251
|
"ssl_certificate" => server_certificate_file,
|
@@ -327,7 +327,7 @@ describe "Filebeat", :integration => true do
|
|
327
327
|
|
328
328
|
context "client from secondary CA" do
|
329
329
|
let(:filebeat_config) do
|
330
|
-
super.merge({
|
330
|
+
super().merge({
|
331
331
|
"output" => {
|
332
332
|
"logstash" => {
|
333
333
|
"hosts" => ["#{host}:#{port}"],
|
@@ -74,7 +74,7 @@ describe "Logstash-Forwarder", :integration => true do
|
|
74
74
|
context "TLS" do
|
75
75
|
context "Server Verification" do
|
76
76
|
let(:input_config) do
|
77
|
-
super.merge({
|
77
|
+
super().merge({
|
78
78
|
"ssl" => true,
|
79
79
|
"ssl_certificate" => certificate_file,
|
80
80
|
"ssl_key" => certificate_key_file,
|
@@ -32,12 +32,12 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
32
32
|
end
|
33
33
|
|
34
34
|
context 'when add_hostname is true' do
|
35
|
-
let(:config) { super.merge({'add_hostname' => true, 'ecs_compatibility' => ecs_compatibility})}
|
35
|
+
let(:config) { super().merge({'add_hostname' => true, 'ecs_compatibility' => ecs_compatibility})}
|
36
36
|
|
37
37
|
context 'when a host is provided in beat.host.name' do
|
38
38
|
let(:already_exist) { "already_exist" }
|
39
39
|
let(:producer_host) { "newhost01" }
|
40
|
-
let(:event_map) { super.merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
40
|
+
let(:event_map) { super().merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
41
41
|
|
42
42
|
context "when no `host` key already exists on the event" do
|
43
43
|
it "does not set the host value" do
|
@@ -47,7 +47,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
47
47
|
|
48
48
|
context "when `host` key exists on the event" do
|
49
49
|
let(:already_exist) { "already_exist" }
|
50
|
-
let(:event_map) { super.merge({ "host" => already_exist }) }
|
50
|
+
let(:event_map) { super().merge({ "host" => already_exist }) }
|
51
51
|
|
52
52
|
it "doesn't override it" do
|
53
53
|
expect(subject.get("host")).to eq(already_exist)
|
@@ -57,7 +57,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
57
57
|
|
58
58
|
context "when a host is set in `beat.hostname`" do
|
59
59
|
let(:producer_host) { "newhost01" }
|
60
|
-
let(:event_map) { super.merge({ "beat" => { "hostname" => producer_host }}) }
|
60
|
+
let(:event_map) { super().merge({ "beat" => { "hostname" => producer_host }}) }
|
61
61
|
|
62
62
|
context "when no `#{host_field_name}` key already exists on the event" do
|
63
63
|
it "copies the value in `beat.hostname` to `#{host_field_name}`" do
|
@@ -67,7 +67,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
67
67
|
|
68
68
|
context "when `#{host_field_name}` key exists on the event" do
|
69
69
|
let(:already_exist) { "already_exist" }
|
70
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
70
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
71
71
|
|
72
72
|
it "doesn't override it" do
|
73
73
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -84,7 +84,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
84
84
|
|
85
85
|
context "when `#{host_field_name}` key already exists on the event" do
|
86
86
|
let(:already_exist) { "already_exist" }
|
87
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
87
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
88
88
|
|
89
89
|
it "doesn't override it" do
|
90
90
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -94,12 +94,12 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
94
94
|
end
|
95
95
|
|
96
96
|
context 'when add hostname is false' do
|
97
|
-
let(:config) { super.merge({'add_hostname' => false})}
|
97
|
+
let(:config) { super().merge({'add_hostname' => false})}
|
98
98
|
|
99
99
|
context 'when a host is provided in beat.host.name' do
|
100
100
|
let(:already_exist) { "already_exist" }
|
101
101
|
let(:producer_host) { "newhost01" }
|
102
|
-
let(:event_map) { super.merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
102
|
+
let(:event_map) { super().merge({ "beat" => { "host" => {"name" => producer_host }}}) }
|
103
103
|
|
104
104
|
context "when no `#{host_field_name}` key already exists on the event" do
|
105
105
|
it "does not set the host" do
|
@@ -109,7 +109,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
109
109
|
|
110
110
|
context "when `#{host_field_name}` key already exists on the event" do
|
111
111
|
let(:already_exist) { "already_exist" }
|
112
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
112
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
113
113
|
|
114
114
|
it "doesn't override it" do
|
115
115
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -119,7 +119,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
119
119
|
|
120
120
|
context "when a host is provided in `beat.hostname`" do
|
121
121
|
let(:producer_host) { "newhost01" }
|
122
|
-
let(:event_map) { super.merge({ "beat" => { "hostname" => producer_host }}) }
|
122
|
+
let(:event_map) { super().merge({ "beat" => { "hostname" => producer_host }}) }
|
123
123
|
|
124
124
|
context "when no `#{host_field_name}` key already exists on the event" do
|
125
125
|
it "does not set the host" do
|
@@ -129,7 +129,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
129
129
|
|
130
130
|
context "when `host` key already exists on the event" do
|
131
131
|
let(:already_exist) { "already_exist" }
|
132
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
132
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
133
133
|
|
134
134
|
it "doesn't override it" do
|
135
135
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
@@ -146,7 +146,7 @@ shared_examples "Common Event Transformation" do |ecs_compatibility, host_field_
|
|
146
146
|
|
147
147
|
context "when `#{host_field_name}` key already exists on the event" do
|
148
148
|
let(:already_exist) { "already_exist" }
|
149
|
-
let(:event_map) { super.merge(key_as_nested_maps(host_field_name, already_exist)) }
|
149
|
+
let(:event_map) { super().merge(key_as_nested_maps(host_field_name, already_exist)) }
|
150
150
|
|
151
151
|
it "doesn't override it" do
|
152
152
|
expect(subject.get(host_field_name)).to eq(already_exist)
|
Binary file
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-input-beats
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 6.1.
|
4
|
+
version: 6.1.1
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-03-30 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -248,6 +248,7 @@ files:
|
|
248
248
|
- PROTOCOL.md
|
249
249
|
- README.md
|
250
250
|
- VERSION
|
251
|
+
- docs/agent.asciidoc
|
251
252
|
- docs/index.asciidoc
|
252
253
|
- lib/logstash-input-beats_jars.rb
|
253
254
|
- lib/logstash/inputs/beats.rb
|
@@ -285,7 +286,7 @@ files:
|
|
285
286
|
- vendor/jar-dependencies/io/netty/netty-all/4.1.49.Final/netty-all-4.1.49.Final.jar
|
286
287
|
- vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.11.1.jar
|
287
288
|
- vendor/jar-dependencies/org/javassist/javassist/3.24.0-GA/javassist-3.24.0-GA.jar
|
288
|
-
- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.1.
|
289
|
+
- vendor/jar-dependencies/org/logstash/beats/logstash-input-beats/6.1.1/logstash-input-beats-6.1.1.jar
|
289
290
|
homepage: http://www.elastic.co/guide/en/logstash/current/index.html
|
290
291
|
licenses:
|
291
292
|
- Apache License (2.0)
|