• Filebeat Reference: 8.19other versionsother versions: 8.198.188.178.168.158.148.138.128.118.108.98.88.78.68.58.48.38.28.18.07.177.167.157.147.137.127.117.107.97.87.77.67.57.47.37.27.17.06.86.76.66.56.46.36.26.16.05.65.55.45.35.25.15.01.31.21.11.0.1
• Filebeat overview
• Quick start: installation and configuration
• Set up and run
  • Directory layout
  • Secrets keystore
  • Command reference
  • Repositories for APT and YUM
  • Run Filebeat on Docker
  • Run Filebeat on Kubernetes
  • Run Filebeat on Cloud Foundry
  • Filebeat and systemd
  • Start Filebeat
  • Windows Installation Script
  • Stop Filebeat
• Upgrade
• How Filebeat works
• Configure
  • Inputs
    • Multiline messages
    • AWS CloudWatch
    • AWS S3
    • Azure Event Hub
  • Example configurations
    • Connection string authentication (processor v1)
    • Connection string authentication (processor v2)
    • Client secret authentication (processor v2)
  • Authentication
    • Authentication types
    • Required permissions
  • Configuration options
    • eventhub
    • consumer_group
    • auth_type
    • connection_string
    • eventhub_namespace
    • tenant_id
    • client_id
    • client_secret
    • authority_host
    • Azure Blob Storage
    • Benchmark
    • CEL
    • Cloud Foundry
    • CometD
    • Container
    • Entity Analytics
    • ETW
    • filestream
    • GCP Pub/Sub
    • Google Cloud Storage
    • HTTP Endpoint
    • HTTP JSON
    • journald
    • Kafka
    • Log
    • MQTT
    • NetFlow
    • Office 365 Management Activity API
    • Redis
    • Salesforce
    • Stdin
    • Streaming
    • Syslog
    • TCP
    • UDP
    • Unified Logs
    • Unix
    • winlog
  • Modules
    • Override input settings
  • General settings
  • Project paths
  • Config file loading
    • Live reloading
  • Output
    • Elasticsearch Service
    • Elasticsearch
    • Logstash
    • Kafka
    • Redis
    • File
    • Console
    • Discard
    • Change the output codec
  • Kerberos
  • SSL
  • Index lifecycle management (ILM)
  • Elasticsearch index template
  • Kibana endpoint
  • Kibana dashboards
  • Processors
    • Define processors
    • add_cloud_metadata
    • add_cloudfoundry_metadata
    • add_docker_metadata
    • add_fields
    • add_host_metadata
    • add_id
    • add_kubernetes_metadata
    • add_labels
    • add_locale
    • add_network_direction
    • add_nomad_metadata
    • add_observer_metadata
    • add_process_metadata
    • add_tags
    • append
    • cache
    • community_id
    • convert
    • copy_fields
    • decode_base64_field
    • decode_cef
    • decode_csv_fields
    • decode_duration
    • decode_json_fields
    • decode_xml
    • decode_xml_wineventlog
    • decompress_gzip_field
    • detect_mime_type
    • dissect
    • dns
    • drop_event
    • drop_fields
    • extract_array
    • fingerprint
    • include_fields
    • move_fields
    • parse_aws_vpc_flow_log
    • rate_limit
    • registered_domain
    • rename
    • replace
    • script
    • syslog
    • timestamp
    • translate_ldap_attribute
    • translate_sid
    • truncate_fields
    • urldecode
  • Autodiscover
    • Hints based autodiscover
    • Advanced usage
  • Internal queue
  • Logging
  • HTTP endpoint
  • Regular expression support
  • Instrumentation
  • Feature flags
  • filebeat.reference.yml
• How to guides
  • Override configuration settings
  • Load the Elasticsearch index template
  • Change the index name
  • Load Kibana dashboards
  • Load ingest pipelines
  • Enrich events with geoIP information
  • Deduplicate data
  • Parse data using an ingest pipeline
  • Use environment variables in the configuration
  • Avoid YAML formatting problems
  • Migrate log input configurations to filestream
    • Step 1: Set an identifier for each filestream input
    • Step 2: Enable the take over mode
    • Step 3: Use new option names
    • Step 4
    • If something went wrong
    • Debugging on Kibana
  • Migrating from a Deprecated Filebeat Module
• Modules
  • Modules overview
  • ActiveMQ module
  • Apache module
  • Auditd module
  • AWS module
  • AWS Fargate module
  • Azure module
  • CEF module
  • Check Point module
  • Cisco module
  • CoreDNS module
  • CrowdStrike module
  • Cyberark PAS module
  • Elasticsearch module
  • Envoyproxy Module
  • Fortinet module
  • Google Cloud module
  • Google Workspace module
  • HAproxy module
  • IBM MQ module
  • Icinga module
  • IIS module
  • Iptables module
  • Juniper module
  • Kafka module
  • Kibana module
  • Logstash module
  • Microsoft module
  • MISP module
  • MongoDB module
  • MSSQL module
  • MySQL module
  • MySQL Enterprise module
  • NATS module
  • NetFlow module
  • Nginx module
  • Office 365 module
  • Okta module
  • Oracle module
  • Osquery module
  • Palo Alto Networks module
  • pensando module
  • PostgreSQL module
  • RabbitMQ module
  • Redis module
  • Salesforce module
    • Set up the OAuth App in the Salesforce
  • Santa module
  • Snyk module
  • Sophos module
  • Suricata module
  • System module
  • Threat Intel module
  • Traefik module
  • Zeek (Bro) Module
  • ZooKeeper module
  • Zoom module
• Exported fields
  • ActiveMQ fields
  • Apache fields
  • Auditd fields
  • AWS fields
  • AWS CloudWatch fields
  • AWS Fargate fields
  • Azure fields
  • Beat fields
  • Decode CEF processor fields fields
  • CEF fields
  • Checkpoint fields
  • Cisco fields
  • Cloud provider metadata fields
  • Coredns fields
  • Crowdstrike fields
  • CyberArk PAS fields
  • Docker fields
  • ECS fields
  • Elasticsearch fields
  • Envoyproxy fields
  • Fortinet fields
  • Google Cloud Platform (GCP) fields
  • google_workspace fields
  • HAProxy fields
  • Host fields
  • ibmmq fields
  • Icinga fields
  • IIS fields
  • iptables fields
  • Jolokia Discovery autodiscover provider fields
  • Juniper JUNOS fields
  • Kafka fields
  • kibana fields
  • Kubernetes fields
  • Log file content fields
  • logstash fields
  • Lumberjack fields
  • Microsoft fields
  • MISP fields
  • mongodb fields
  • mssql fields
  • MySQL fields
  • MySQL Enterprise fields
  • NATS fields
  • NetFlow fields
  • Nginx fields
  • Office 365 fields
  • Okta fields
  • Oracle fields
  • Osquery fields
  • panw fields
  • Pensando fields
  • PostgreSQL fields
  • Process fields
  • RabbitMQ fields
  • Redis fields
  • s3 fields
  • Salesforce fields
  • Google Santa fields
  • Snyk fields
  • sophos fields
  • Suricata fields
  • System fields
  • threatintel fields
  • Traefik fields
  • Windows ETW fields
  • Zeek fields
  • ZooKeeper fields
  • Zoom fields
• Monitor
  • Use internal collection
    • Settings for internal collection
  • Use Metricbeat collection
• Secure
  • Grant users access to secured resources
    • Create a setup user
    • Create a monitoring user
    • Create a publishing user
    • Create a reader user
    • Learn more about privileges, roles, and users
  • Grant access using API keys
  • Secure communication with Elasticsearch
  • Secure communication with Logstash
  • Use Linux Secure Computing Mode (seccomp)
• Troubleshoot
  • Get help
  • Debug
  • Understand logged metrics
  • Common problems
    • Error extracting container id while using Kubernetes metadata
    • Can’t read log files from network volumes
    • Filebeat isn’t collecting lines from a file
    • Too many open file handlers
    • Registry file is too large
    • Inode reuse causes Filebeat to skip lines
    • Log rotation results in lost or duplicate events
    • Open file handlers cause issues with Windows file rotation
    • Filebeat is using too much CPU
    • Dashboard in Kibana is breaking up data fields incorrectly
    • Fields are not indexed or usable in Kibana visualizations
    • Filebeat isn’t shipping the last line of a file
    • Filebeat keeps open file handlers of deleted files for a long time
    • Filebeat uses too much bandwidth
    • Error loading config file
    • Found unexpected or unknown characters
    • Logstash connection doesn’t work
    • Publishing to Logstash fails with "connection reset by peer" message
    • @metadata is missing in Logstash
    • Not sure whether to use Logstash or Beats
    • SSL client fails to connect to Logstash
    • Monitoring UI shows fewer Beats than expected
    • Dashboard could not locate the index-pattern
    • High RSS memory usage due to MADV settings
• Contribute to Beats