Redis Output Configuration

edit

The Redis output inserts the events into a Redis list or a Redis channel. This output plugin is compatible with the Redis input plugin for Logstash.

Example configuration:

output.redis:
  hosts: ["localhost"]
  password: "my_password"
  key: "winlogbeat"
  db: 0
  timeout: 5

Compatibility

edit

This output works with Redis 3.2.0.

Redis Output Options

edit

You can specify the following options in the redis section of the winlogbeat.yml config file:

enabled

edit

The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.

The default value is true.

hosts

edit

The list of Redis servers to connect to. If load balancing is enabled, the events are distributed to the servers in the list. If one server becomes unreachable, the events are distributed to the reachable servers only. You can define each Redis server by specifying HOST or HOST:PORT. For example: "192.15.3.2" or "test.redis.io:12345". If you don’t specify a port number, the value configured by port is used.

port

edit

Deprecated in 5.0.0.

The Redis port to use if hosts does not contain a port number. The default is 6379.

index

edit

Deprecated in 5.0.0.

The index setting is renamed to key

The name of the Redis list or channel the events are published to. The default is "winlogbeat".

key

edit

The name of the Redis list or channel the events are published to. The default is "winlogbeat".

The redis key can be set dynamically using a format string accessing any fields in the event to be published.

This configuration will use the fields.list field to set the redis list key. If fields.list is missing, fallback will be used.

output.redis:
  hosts: ["localhost"]
  key: "%{[fields.list]:fallback}"

keys

edit

Array of key selector configurations supporting conditionals, format string based field access and name mappings. The first rule matching will be used to set the key for the event to be published. If keys is missing or no rule matches, the key field will be used.

Rule settings:

key: The key format string. If the fields used in the format string are missing, the rule fails.

mapping: Dictionary mapping key values to new names

default: Default string value if mapping does not find a match.

when: Condition which must succeed in order to execute the current rule.

Example keys settings:

output.redis:
  hosts: ["localhost"]
  key: "default_list"
  keys:
    - key: "info_list"   # send to info_list if `message` field contains INFO
      when.contains:
        message: "INFO"
    - key: "debug_list"  # send to debug_list if `message` field contains DEBUG
      when.contains:
        message: "DEBUG"
    - key: "%{[type]}"
      mapping:
        "http": "frontend_list"
        "nginx": "frontend_list"
        "mysql": "backend_list"

password

edit

The password to authenticate with. The default is no authentication.

The Redis database number where the events are published. The default is 0.

datatype

edit

The Redis data type to use for publishing events.If the data type is list, the Redis RPUSH command is used and all events are added to the list with the key defined under key. If the data type channel is used, the Redis PUBLISH command is used and means that all events are pushed to the pub/sub mechanism of Redis. The name of the channel is the one defined under key. The default value is list.

host_topology

edit

Deprecated in 5.0.0.

The Redis host to connect to when using topology map support. Topology map support is disabled if this option is not set.

password_topology

edit

Deprecated in 5.0.0.

The password to use for authenticating with the Redis topology server. The default is no authentication.

db_topology

edit

Deprecated in 5.0.0.

The Redis database number where the topology information is stored. The default is 1.

worker

edit

The number of workers to use for each host configured to publish events to Redis. Use this setting along with the loadbalance option. For example, if you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).

loadbalance

edit

If set to true and multiple hosts or workers are configured, the output plugin load balances published events onto all Redis hosts. If set to false, the output plugin sends all events to only one host (determined at random) and will switch to another host if the currently selected one becomes unreachable. The default value is true.

timeout

edit

The Redis connection timeout in seconds. The default is 5 seconds.

max_retries

edit

The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped. Some Beats, such as Filebeat, ignore the max_retries setting and retry until all events are published.

Set max_retries to a value less than 0 to retry until all events are published.

The default is 3.

bulk_max_size

edit

The maximum number of events to bulk in a single Redis request or pipeline. The default is 2048.

If the Beat sends single events, the events are collected into batches. If the Beat publishes a large batch of events (larger than the value specified by bulk_max_size), the batch is split.

Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.

Setting bulk_max_size to values less than or equal to 0 disables buffering in libbeat. When buffering is disabled, Beats that publish single events (such as Packetbeat) send each event directly to Redis. Beats that publish data in batches (such as Filebeat) send events in batches based on the spooler size.

ssl

edit

Configuration options for SSL parameters like the root CA for Redis connections guarded by SSL proxies (for example stunnel). See SSL Configuration for more information.

proxy_url

edit

The URL of the SOCKS5 proxy to use when connecting to the Redis servers. The value must be a URL with a scheme of socks5://. You cannot use a web proxy because the protocol used to communicate with Redis is not based on HTTP.

If the SOCKS5 proxy server requires client authentication, you can embed a username and password in the URL.

When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the proxy_use_local_resolver option.

proxy_use_local_resolver

edit

This option determines whether Redis hostnames are resolved locally when using a proxy. The default value is false, which means that name resolution occurs on the proxy server.