diff options
| author | Naix <20989997+GhostNaix@users.noreply.github.com> | 2024-10-06 20:09:54 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-10-06 11:09:54 +0200 |
| commit | 3e2ce661f01545daeb311d671bf222d378729bca (patch) | |
| tree | 0ce8fe6ff0c13ad243be6a530070d7300c49afbe | |
| parent | 76e1ea05987aaf49329e259a121e90fb1b890051 (diff) | |
Added Filebeat Configuration (#44)
Added Filebeat Configuration
Co-authored-by: Toni <matzeton@googlemail.com>
| -rw-r--r-- | examples/README.md | 5 | ||||
| -rw-r--r-- | examples/yaml-filebeat/filebeat.yml | 28 |
2 files changed, 33 insertions, 0 deletions
diff --git a/examples/README.md b/examples/README.md index 52fd6e090..524fa489d 100644 --- a/examples/README.md +++ b/examples/README.md @@ -92,3 +92,8 @@ Required by `tests/run_tests.sh` Validate nDPId JSON messages against internal event semantics. Required by `tests/run_tests.sh` + +## yaml-filebeat +An example filebeat configuration to parse and send nDPId JSON +messages to Elasticsearch. Allowing long term storage and data visualization with kibana +and various other tools that interact with Elasticsearch (No logstash required).
\ No newline at end of file diff --git a/examples/yaml-filebeat/filebeat.yml b/examples/yaml-filebeat/filebeat.yml new file mode 100644 index 000000000..c8428258b --- /dev/null +++ b/examples/yaml-filebeat/filebeat.yml @@ -0,0 +1,28 @@ +filebeat.inputs: +- type: unix + id: "NDPId-logs" # replace this index to your preference + max_message_size: 100MiB + index: "index-name" # Replace this with your desired index name in Elasticsearch + enabled: true + path: "/var/run/nDPId.sock" # point nDPId to this Unix Socket (Collector) + processors: + - script: # execute javascript to remove the first 5-digit-number and also the Newline at the end + lang: javascript + id: trim + source: > + function process(event) { + event.Put("message", event.Get("message").trim().slice(5)); + } + - decode_json_fields: # Decode the Json output + fields: ["message"] + process_array: true + max_depth: 10 + target: "" + overwrite_keys: true + add_error_key: false + - drop_fields: # Deletes the Message field, which is the undecoded json (You may comment this out if you need the original message) + fields: ["message"] + - rename: + fields: + - from: "source" # Prevents a conflict in Elasticsearch and renames the field + to: "Source_Interface"
\ No newline at end of file |