Step 2: Configure Functionbeatedit

Before deploying Functionbeat to your serverless environment, you need to specify details about the functions that you want to deploy, including the function name, type, and triggers that will cause the function to execute. You also need to specify connection details for your Elasticsearch cluster.

You specify settings in the functionbeat.yml configuration file. This file is located in the archive that you extracted earlier.

Tip

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

The following example configures a function called cloudwatch that collects events from CloudWatch Logs and forwards the events to Elasticsearch.

functionbeat.provider.aws.deploy_bucket: "functionbeat-deploy"
functionbeat.provider.aws.functions:
  - name: cloudwatch
    enabled: true
    type: cloudwatch_logs
    description: "lambda function for cloudwatch logs"
    triggers:
      - log_group_name: /aws/lambda/my-lambda-function
output.elasticsearch:
  cloud.id: "MyESDeployment:SomeLongString=="
  cloud.auth: "elastic:SomeLongString"

To configure Functionbeat:

  1. Specify a unique name for the S3 bucket to which the functions will be uploaded. For example:

    functionbeat.provider.aws.deploy_bucket: "functionbeat-deploy"
  2. Define the functions that want to deploy. For each function, you must specify:

    name

    A unique name for the Lambda function.

    type

    The type of service to monitor. For this release, the supported types are:

    • cloudwatch_logs to collect data from CloudWatch logs
    • sqs to collect messages from Amazon Simple Queue Service (SQS)

    triggers

    The triggers that will cause the function to execute. If type is cloudwatch_logs logs, specify a list of log groups. If type is sqs, specify a list of Amazon Resource Names (ARNs).

    When a message is sent to the specified log group or queue, the Lambda function executes and sends message events to the output configured for Functionbeat.

    The following example configures a function called sqs that collects data from Amazon SQS:

    - name: sqs
      enabled: true
      type: sqs
      triggers:
        - event_source_arn: arn:aws:sqs:us-east-1:123456789012:myevents
  3. Configure the Elasticsearch output by setting the location of the Elasticsearch installation:

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your Cloud ID. For example:

      cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
    • If you’re running Elasticsearch on your own hardware, set the host and port where Functionbeat can find the Elasticsearch installation. For example:

      output.elasticsearch:
        hosts: ["myEShost:9200"]

    Elasticsearch is currently the only output supported by Functionbeat.

  4. If Elasticsearch and Kibana are secured, set credentials in the functionbeat.yml config file before you run the commands that set up and start Functionbeat.

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your cloud auth credentials. For example:

      cloud.auth: "elastic:YOUR_PASSWORD"
    • If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:

      output.elasticsearch:
        hosts: ["myEShost:9200"]
        username: "filebeat_internal"
        password: "YOUR_PASSWORD" 
      setup.kibana:
        host: "mykibanahost:5601"
        username: "my_kibana_user"  
        password: "YOUR_PASSWORD"

      This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

      The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Functionbeat uses the username and password specified for the Elasticsearch output.

      To use the pre-built Kibana dashboards, this user must have the kibana_user built-in role or equivalent privileges.

      For more information, see Securing Functionbeat.

Before starting Functionbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Functionbeat.