puppet-filebeat
Table of Contents
- Description
- Setup - The basics of getting started with filebeat
- Usage - Configuration options and additional functionality
- Reference
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
The filebeat
module installs and configures the filebeat log shipper maintained by elastic.
Setup
What filebeat affects
By default filebeat
adds a software repository to your system, and installs filebeat along
with required configurations.
Setup Requirements
The filebeat
module depends on puppetlabs/stdlib
, and on
puppetlabs/apt
on Debian based systems.
Beginning with filebeat
filebeat
can be installed with puppet module install pcfens-filebeat
(or with r10k, librarian-puppet, etc.)
The only required parameter, other than which files to ship, is the outputs
parameter.
Usage
All of the default values in filebeat follow the upstream defaults (at the time of writing).
To ship files to elasticsearch:
class { 'filebeat':
outputs => {
'elasticsearch' => {
'hosts' => [
'http://localhost:9200',
'http://anotherserver:9200'
],
'index' => 'packetbeat',
'cas' => [
'/etc/pki/root/ca.pem',
],
},
},
}
To ship log files through logstash:
class { 'filebeat':
outputs => {
'logstash' => {
'hosts' => [
'localhost:5044',
'anotherserver:5044'
],
'loadbalance' => true,
},
},
}
Shipper and logging options can be configured the same way, and are documented on the elastic website.
Adding a prospector
Prospectors are processes that ship log files to elasticsearch or logstash. They can be defined as a hash added to the class declaration (also used for automatically creating prospectors using hiera), or as their own defined resources.
At a minimum, the paths
parameter must be set to an array of files or blobs that should
be shipped. log_type
is what logstash views as the type parameter if you'd like to
apply conditional filters.
filebeat::prospector { 'syslogs':
paths => [
'/var/log/auth.log',
'/var/log/syslog',
],
log_type => 'syslog-beat',
}
Multiline Logs
Filebeat prospectors (versions >= 1.1) can handle multiline log entries. The multiline
parameter accepts a hash containing pattern
, negate
, match
, max_lines
, and timeout
as documented in the filebeat configuration documentation.
Reference
Public Classes
filebeat
Class: Installs and configures filebeat.
Parameters within filebeat
package_ensure
: [String] The ensure parameter for the filebeat package (default: present)manage_repo
: [Boolean] Whether or not the upstream (elastic) repo should be configured or not (default: true)service_ensure
: [String] The ensure parameter on the filebeat service (default: running)service_enable
: [String] The enable parameter on the filebeat service (default: true)spool_size
: [Integer] How large the spool should grow before being flushed to the network (default: 1024)idle_timeout
: [String] How often the spooler should be flushed even if spool size isn't reached (default: 5s)registry_file
: [String] The registry file used to store positions, absolute or relative to working directory (default .filebeat)config_dir
: [String] The directory where prospectors should be defined (default: /etc/filebeat/conf.d)config_dir_mode
: [String] The permissions mode set on the configuration directory (default: 0755)config_file_mode
: [String] The permissions mode set on configuration files (default: 0644)purge_conf_dir
: [Boolean] Should files in the prospector configuration directory not managed by puppet be automatically purgedoutputs
: [Hash] Will be converted to YAML for the required outputs section of the configuration (see documentation, and above)shipper
: [Hash] Will be converted to YAML to create the optional shipper section of the filebeat config (see documentation)logging
: [Hash] Will be converted to YAML to create the optional logging section of the filebeat config (see documentation)conf_template
: [String] The configuration template to use to generate the main filebeat.yml config filedownload_url
: [String] The URL of the zip file that should be downloaded to install filebeat (windows only)install_dir
: [String] Where filebeat should be installed (windows only)tmp_dir
: [String] Where filebeat should be temporarily downloaded to so it can be installed (windows only)prospectors
: [Hash] Prospectors that will be created. Commonly used to create prospectors using hiera
Private Classes
filebeat::config
Class: Creates the configuration files required for filebeat (but not the prospectors)
filebeat::install
Class: Calls the correct installer class based on the kernel fact.
filebeat::params
Class: Sets default parameters for filebeat
based on the OS and other facts.
filebeat::repo
Class: Installs the yum or apt repository for the system package manager to install filebeat.
filebeat::service
Class: Configures and manages the filebeat service.
filebeat::install::linux
Class: Install the filebeat package on Linux kernels.
filebeat::install::windows
Class: Downloads, extracts, and installs the filebeat zip file in Windows.
Public Defines
filebeat::prospector
Define: Installs a configuration file for a prospector.
Be sure to read the filebeat configuration details to fully understand what these parameters do.
Parameters for filebeat::prospector
ensure
: The ensure parameter on the prospector configuration file. (default: present)paths
: [Array] The paths, or blobs that should be handled by the prospector. (required)exclude_files
: [Array] Files that match any regex in the list are excluded from filebeat (default: [])encoding
: [String] The file encoding. (default: plain)input_type
: [String] log or stdin - where filebeat reads the log from (default:log)fields
: [Hash] Optional fields to add information to the output (default: {})fields_under_root
: [Boolean] Should thefields
parameter fields be stored at the top level of indexed documents.ignore_older
: [String] Files older than this field will be ignored by filebeat (default: 24h)log_type
: [String] (Deprecated - usedoc_type
) The document_type setting (optional - default: log)doc_type
: [String] The event type to used for published lines, used as type field in logstash and elasticsearch (optional - default: log)scan_frequency
: [String] How often should the prospector check for new files (default: 10s)harvester_buffer_size
: [Integer] The buffer size the harvester uses when fetching the file (default: 16384)tail_files
: [Boolean] If true, filebeat starts reading new files at the end instead of the beginning (default: false)backoff
: [String] How long filebeat should wait between scanning a file after reaching EOF (default: 1s)max_backoff
: [String] The maximum wait time to scan a file for new lines to ship (default: 10s)backoff_factor
: [Integer]backoff
is multiplied by this parameter untilmax_backoff
is reached to determine the actual backoff (default: 2)partial_line_waiting
: [String] How long should the prospector wait before shipping a file with a potentially incomplete last line (default: 5s)force_close_files
: [Boolean] Should filebeat forcibly close a file when renamed (default: false)include_lines
: [Array] A list of regular expressions to match the lines that you want to include. Ignored if empty (default: [])exclude_lines
: [Array] A list of regular expressions to match the files that you want to exclude. Ignored if empty (default: [])max_bytes
: [Integer] The maximum number of bytes that a single log message can have (default: 10485760)multiline
: [Hash] Options that control how Filebeat handles log messages that span multiple lines. See above. (default: {})
Limitations
This module doesn't load the elasticsearch index template into elasticsearch (required when shipping directly to elasticsearch).
Only filebeat versions after 1.0.0-rc1 are supported. 1.0.0-rc1 and older don't support YAML like the ruby template can easily generate.
Development
Pull requests and bug reports are welcome. If you're sending a pull request, please consider writing tests if applicable.