Step 2: Configure Functionbeat

Before deploying Functionbeat to your cloud provider, you need to specify details about the cloud functions that you want to deploy, including the function name and type, and the triggers that will cause the function to execute. You also need to specify connection details for your Elasticsearch cluster.

You specify settings in the functionbeat.yml configuration file. This file is located in the archive that you extracted earlier.

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

  1. Configure the functions that you want to deploy. The configuration settings vary depending on the type of function and cloud provider you’re using. This section provides a couple of example configurations.

    • AWS example: This example configures a function called cloudwatch that collects events from CloudWatch Logs. When a message is sent to the specified log group, the cloud function executes and sends message events to the configured output:

      functionbeat.provider.aws.endpoint: "s3.amazonaws.com"
      functionbeat.provider.aws.deploy_bucket: "functionbeat-deploy" 
      functionbeat.provider.aws.functions:
        - name: cloudwatch 
          enabled: true
          type: cloudwatch_logs
          description: "lambda function for cloudwatch logs"
          triggers:
            - log_group_name: /aws/lambda/my-lambda-function

      A unique name for the S3 bucket to which the functions will be uploaded.

      Details about the function you want to deploy, including the name of the function, the type of service to monitor, and the log groups that trigger the function.

      See AWS functions for more examples.

    • Google cloud example: This example configures a function called storage that collects log events from Google Cloud Storage. When the specified event type occurs on the Cloud Storage bucket, the cloud function executes and sends events to the configured output:

      functionbeat.provider.gcp.location_id: "europe-west2"
      functionbeat.provider.gcp.project_id: "my-project-123456"
      functionbeat.provider.gcp.storage_name: "functionbeat-deploy" 
      functionbeat.provider.gcp.functions:
        - name: storage 
          enabled: true
          type: storage
          description: "Google Cloud Function for Cloud Storage"
          trigger:
            resource: "projects/my-project/buckets/my-storage"
            event_type: "google.storage.object.finalize"

      The name of the GCP storage bucket where the function artifacts will be deployed.

      Details about the function you want to deploy, including the name of the function, the type of resource to monitor, and the resource event that triggers the function.

      See Google functions for more examples.

  2. Configure the output. Functionbeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.

    To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your Cloud ID. For example:

      cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
    • If you’re running Elasticsearch on your own hardware, set the host and port where Functionbeat can find the Elasticsearch installation. For example:

      output.elasticsearch:
        hosts: ["myEShost:9200"]

      To send output to Logstash, Configure the Logstash output instead. For all other outputs, see Output.

  3. If Elasticsearch and Kibana are secured, set credentials in the functionbeat.yml config file before you run the commands that set up and start Functionbeat.

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your cloud auth credentials. For example:

      cloud.auth: "elastic:YOUR_PASSWORD"
    • If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:

      output.elasticsearch:
        hosts: ["myEShost:9200"]
        username: "filebeat_internal"
        password: "YOUR_PASSWORD" 
      setup.kibana:
        host: "mykibanahost:5601"
        username: "my_kibana_user"  
        password: "YOUR_PASSWORD"

      This examples shows a hard-coded password, but you should store sensitive values in environment variables.

      The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Functionbeat uses the username and password specified for the Elasticsearch output.

      To use the pre-built Kibana dashboards, this user must have the kibana_user built-in role or equivalent privileges.

      For more information, see Secure.

To test your configuration file, change to the directory where the Functionbeat binary is installed, and run Functionbeat in the foreground with the following options specified: ./functionbeat test config -e. Make sure your config files are in the path expected by Functionbeat (see Directory layout), or use the -c flag to specify the path to the config file.

For more information about configuring Functionbeat, see Configure.