From 3e2ce661f01545daeb311d671bf222d378729bca Mon Sep 17 00:00:00 2001
From: Naix <20989997+GhostNaix@users.noreply.github.com>
Date: Sun, 6 Oct 2024 20:09:54 +1100
Subject: Added Filebeat Configuration (#44)

Added Filebeat Configuration

Co-authored-by: Toni <matzeton@googlemail.com>
---
 examples/README.md                  |  5 +++++
 examples/yaml-filebeat/filebeat.yml | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 examples/yaml-filebeat/filebeat.yml

(limited to 'examples')

diff --git a/examples/README.md b/examples/README.md
index 52fd6e090..524fa489d 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -92,3 +92,8 @@ Required by `tests/run_tests.sh`
 
 Validate nDPId JSON messages against internal event semantics.
 Required by `tests/run_tests.sh`
+
+## yaml-filebeat
+An example filebeat configuration to parse and send nDPId JSON 
+messages to Elasticsearch. Allowing long term storage and data visualization with kibana
+and various other tools that interact with Elasticsearch (No logstash required).
\ No newline at end of file
diff --git a/examples/yaml-filebeat/filebeat.yml b/examples/yaml-filebeat/filebeat.yml
new file mode 100644
index 000000000..c8428258b
--- /dev/null
+++ b/examples/yaml-filebeat/filebeat.yml
@@ -0,0 +1,28 @@
+filebeat.inputs:
+- type: unix
+  id: "NDPId-logs" # replace this index to your preference
+  max_message_size: 100MiB
+  index: "index-name" # Replace this with your desired index name in Elasticsearch
+  enabled: true
+  path: "/var/run/nDPId.sock" # point nDPId to this Unix Socket (Collector)
+  processors:
+    - script: # execute javascript to remove the first 5-digit-number and also the Newline at the end
+        lang: javascript
+        id: trim
+        source: >
+          function process(event) {
+            event.Put("message", event.Get("message").trim().slice(5)); 
+          }
+    - decode_json_fields: # Decode the Json output
+        fields: ["message"]
+        process_array: true
+        max_depth: 10
+        target: ""
+        overwrite_keys: true
+        add_error_key: false
+     - drop_fields: # Deletes the Message field, which is the undecoded json (You may comment this out if you need the original message)
+           fields: ["message"] 
+     - rename:
+           fields:
+             - from: "source" # Prevents a conflict in Elasticsearch and renames the field
+                to: "Source_Interface" 
\ No newline at end of file
-- 
cgit v1.2.3