Step 2: Configure Functionbeatedit

Before deploying Functionbeat to your cloud provider, you need to specify details about the cloud functions that you want to deploy, including the function name and type, and the triggers that will cause the function to execute. You also need to specify connection details for your Elasticsearch cluster.

You specify settings in the functionbeat.yml configuration file. This file is located in the archive that you extracted earlier.

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

The following example configures a function called cloudwatch that collects events from CloudWatch Logs and forwards the events to Elasticsearch.

functionbeat.provider.aws.endpoint: "s3.amazonaws.com"
functionbeat.provider.aws.deploy_bucket: "functionbeat-deploy"
functionbeat.provider.aws.functions:
  - name: cloudwatch
    enabled: true
    type: cloudwatch_logs
    description: "lambda function for cloudwatch logs"
    triggers:
      - log_group_name: /aws/lambda/my-lambda-function
cloud.id: "MyESDeployment:SomeLongString=="
cloud.auth: "elastic:SomeLongString"

To configure Functionbeat:

  1. Specify a unique name for the S3 bucket to which the functions will be uploaded. For example:

    functionbeat.provider.aws.deploy_bucket: "functionbeat-deploy"
  2. Define the functions that you want to deploy. Define a function for each service you want to monitor. For each function, you must specify:

    name

    A unique name for the Lambda function.

    type

    The type of service to monitor. For this release, the supported types are:

    • cloudwatch_logs to collect data from CloudWatch logs
    • sqs to collect messages from Amazon Simple Queue Service (SQS)
    • kinesis to collect data from Kinesis data streams

    triggers

    The triggers that will cause the function to execute. If type is cloudwatch_logs logs, specify a list of log groups. If type is sqs or kinesis, specify a list of Amazon Resource Names (ARNs).

    When a message is sent to the specified log group or queue, the cloud function executes and sends message events to the output configured for Functionbeat.

    The following example configures a function called sqs that collects data from Amazon SQS:

    - name: sqs
      enabled: true
      type: sqs
      triggers:
        - event_source_arn: arn:aws:sqs:us-east-1:123456789012:myevents
  3. Configure the output. Functionbeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.

    To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your Cloud ID. For example:

      cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
    • If you’re running Elasticsearch on your own hardware, set the host and port where Functionbeat can find the Elasticsearch installation. For example:

      output.elasticsearch:
        hosts: ["myEShost:9200"]

      To send output to Logstash, Configure the Logstash output instead. For all other outputs, see Configure the output.

  4. If Elasticsearch and Kibana are secured, set credentials in the functionbeat.yml config file before you run the commands that set up and start Functionbeat.

    • If you’re running our hosted Elasticsearch Service on Elastic Cloud, specify your cloud auth credentials. For example:

      cloud.auth: "elastic:YOUR_PASSWORD"
    • If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:

      output.elasticsearch:
        hosts: ["myEShost:9200"]
        username: "filebeat_internal"
        password: "YOUR_PASSWORD" 
      setup.kibana:
        host: "mykibanahost:5601"
        username: "my_kibana_user"  
        password: "YOUR_PASSWORD"

      This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

      The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Functionbeat uses the username and password specified for the Elasticsearch output.

      To use the pre-built Kibana dashboards, this user must have the kibana_user built-in role or equivalent privileges.

      For more information, see Securing Functionbeat.

To test your configuration file, change to the directory where the Functionbeat binary is installed, and run Functionbeat in the foreground with the following options specified: ./functionbeat test config -e. Make sure your config files are in the path expected by Functionbeat (see Directory layout), or use the -c flag to specify the path to the config file.

For more information about configuring Functionbeat, see Configuring Functionbeat.