examples/yaml-filebeat/filebeat.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

filebeat.inputs:
- type: unix
  id: "NDPId-logs" # replace this index to your preference
  max_message_size: 100MiB
  index: "index-name" # Replace this with your desired index name in Elasticsearch
  enabled: true
  path: "/var/run/nDPId.sock" # point nDPId to this Unix Socket (Collector)
  processors:
    - script: # execute javascript to remove the first 5-digit-number and also the Newline at the end
        lang: javascript
        id: trim
        source: >
          function process(event) {
            event.Put("message", event.Get("message").trim().slice(5)); 
          }
    - decode_json_fields: # Decode the Json output
        fields: ["message"]
        process_array: true
        max_depth: 10
        target: ""
        overwrite_keys: true
        add_error_key: false
     - drop_fields: # Deletes the Message field, which is the undecoded json (You may comment this out if you need the original message)
           fields: ["message"] 
     - rename:
           fields:
             - from: "source" # Prevents a conflict in Elasticsearch and renames the field
                to: "Source_Interface"