Forge Home

Modules

Puppet

Resources

PuppetEcosystemPuppet CommunityUpdates

filebeat

A module to install and manage the filebeat log shipper
Project URLRSS FeedReport issues

1,426,630 downloads

13,500 latest version

4.3 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 4.14.0 (latest)
  • 4.13.0
  • 4.12.0
  • 4.11.0
  • 4.10.0
  • 4.9.0
  • 4.8.0
  • 4.7.0
  • 4.6.0
  • 4.5.0
  • 4.4.2
  • 4.4.1
  • 4.4.0
  • 4.3.1
  • 4.3.0
  • 4.2.0
  • 4.1.2
  • 4.1.1
  • 4.1.0
  • 4.0.5
  • 4.0.4
  • 4.0.3
  • 4.0.2
  • 4.0.1
  • 4.0.0
  • 3.4.0
  • 3.3.3
  • 3.3.2
  • 3.3.1
  • 3.2.2
  • 3.2.1
  • 3.2.0
  • 3.1.0
  • 3.0.1
  • 3.0.0
  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0
  • 2.0.0
  • 1.0.0
  • 0.12.1
  • 0.12.0
  • 0.11.2
  • 0.11.1
  • 0.11.0 (deleted)
  • 0.10.4
  • 0.10.3
  • 0.10.2
  • 0.10.1
  • 0.10.0
  • 0.9.2
  • 0.9.1
  • 0.9.0
  • 0.8.7
  • 0.8.6
  • 0.8.5
  • 0.8.4
  • 0.8.3
  • 0.8.2
  • 0.8.1
  • 0.8.0
  • 0.7.4
  • 0.7.2
  • 0.7.1
  • 0.7.0
  • 0.6.3
  • 0.6.2
  • 0.6.1
  • 0.6.0
  • 0.5.8
  • 0.5.7
  • 0.5.6
  • 0.5.5
  • 0.5.4
  • 0.5.3 (deleted)
  • 0.5.2
  • 0.5.1
  • 0.5.0
  • 0.4.1
  • 0.4.0
  • 0.3.1
  • 0.3.0
  • 0.2.2
  • 0.2.1
  • 0.2.0
  • 0.1.1
  • 0.1.0
released Jun 10th 2016
This version is compatible with:
  • Puppet Enterprise >= 3.0.0 < 2015.4.0
  • Puppet >= 3.0.0 < 5.0.0
  • , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'pcfens-filebeat', '0.7.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add pcfens-filebeat
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install pcfens-filebeat --version 0.7.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download
Tags: elasticsearch, logstash, elastic, filebeat

Documentation

pcfens/filebeat — version 0.7.1 Jun 10th 2016

puppet-filebeat

Build Status

Table of Contents

  1. Description
  2. Setup - The basics of getting started with filebeat
  3. Usage - Configuration options and additional functionality
  4. Reference
  5. Limitations - OS compatibility, etc.
  6. Development - Guide for contributing to the module

Description

The filebeat module installs and configures the filebeat log shipper maintained by elastic.

Setup

What filebeat affects

By default filebeat adds a software repository to your system, and installs filebeat along with required configurations.

Setup Requirements

The filebeat module depends on puppetlabs/stdlib, and on puppetlabs/apt on Debian based systems.

Beginning with filebeat

filebeat can be installed with puppet module install pcfens-filebeat (or with r10k, librarian-puppet, etc.)

The only required parameter, other than which files to ship, is the outputs parameter.

Usage

All of the default values in filebeat follow the upstream defaults (at the time of writing).

To ship files to elasticsearch:

class { 'filebeat':
  outputs => {
    'elasticsearch' => {
     'hosts' => [
       'http://localhost:9200',
       'http://anotherserver:9200'
     ],
     'index'       => 'packetbeat',
     'cas'         => [
        '/etc/pki/root/ca.pem',
     ],
    },
  },
}

To ship log files through logstash:

class { 'filebeat':
  outputs => {
    'logstash'     => {
     'hosts' => [
       'localhost:5044',
       'anotherserver:5044'
     ],
     'loadbalance' => true,
    },
  },
}

Shipper and logging options can be configured the same way, and are documented on the elastic website.

Adding a prospector

Prospectors are processes that ship log files to elasticsearch or logstash. They can be defined as a hash added to the class declaration (also used for automatically creating prospectors using hiera), or as their own defined resources.

At a minimum, the paths parameter must be set to an array of files or blobs that should be shipped. doc_type is what logstash views as the type parameter if you'd like to apply conditional filters.

filebeat::prospector { 'syslogs':
  paths    => [
    '/var/log/auth.log',
    '/var/log/syslog',
  ],
  doc_type => 'syslog-beat',
}

Multiline Logs

Filebeat prospectors (versions >= 1.1) can handle multiline log entries. The multiline parameter accepts a hash containing pattern, negate, match, max_lines, and timeout as documented in the filebeat configuration documentation.

Prospectors in Hiera

Prospectors can be declared in hiera using the prospectors parameter. By default, hiera will not merge prospector declarations down the hiera hierarchy. To change the behavior in puppet 3 use the prospectors_merge parameter. In puppet 4, you can use prospectors_merge, but can also use the lookup_options flag.

When prospectors_merge is set to true, prospectors will be replaced by the output of hiera_hash('filebeat::prospectors').

Usage on Windows

When installing on Windows, this module will download the windows version of Filebeat from elastic to C:\Temp by default. The directory can be overridden using the tmp_dir parameter. tmp_dir is not managed by this module, but is expected to exist as a directory that puppet can write to.

Reference

Public Classes

Class: filebeat

Installs and configures filebeat.

Parameters within filebeat

  • package_ensure: [String] The ensure parameter for the filebeat package (default: present)
  • manage_repo: [Boolean] Whether or not the upstream (elastic) repo should be configured or not (default: true)
  • service_ensure: [String] The ensure parameter on the filebeat service (default: running)
  • service_enable: [String] The enable parameter on the filebeat service (default: true)
  • service_provider: [String] The provier parameter on the filebeat service (default: on RedHat based systems use redhat, otherwise undefined)
  • spool_size: [Integer] How large the spool should grow before being flushed to the network (default: 2048)
  • idle_timeout: [String] How often the spooler should be flushed even if spool size isn't reached (default: 5s)
  • publish_async: [Boolean] If set to true filebeat will publish while preparing the next batch of lines to transmit (defualt: false)
  • registry_file: [String] The registry file used to store positions, absolute or relative to working directory (default .filebeat)
  • config_file: [String] Where the configuration file managed by this module should be placed. If you think you might want to use this, read the limitations first. Defaults to the location that filebeat expects for your operating system.
  • config_dir: [String] The directory where prospectors should be defined (default: /etc/filebeat/conf.d)
  • config_dir_mode: [String] The permissions mode set on the configuration directory (default: 0755)
  • config_file_mode: [String] The permissions mode set on configuration files (default: 0644)
  • purge_conf_dir: [Boolean] Should files in the prospector configuration directory not managed by puppet be automatically purged
  • outputs: [Hash] Will be converted to YAML for the required outputs section of the configuration (see documentation, and above)
  • shipper: [Hash] Will be converted to YAML to create the optional shipper section of the filebeat config (see documentation)
  • logging: [Hash] Will be converted to YAML to create the optional logging section of the filebeat config (see documentation)
  • conf_template: [String] The configuration template to use to generate the main filebeat.yml config file
  • download_url: [String] The URL of the zip file that should be downloaded to install filebeat (windows only)
  • install_dir: [String] Where filebeat should be installed (windows only)
  • tmp_dir: [String] Where filebeat should be temporarily downloaded to so it can be installed (windows only)
  • prospectors: [Hash] Prospectors that will be created. Commonly used to create prospectors using hiera
  • prospectors_merge: [Boolean] If true, hiera_hash() will be used to build the the prospectors parameter (default: false)

Private Classes

Class: filebeat::config

Creates the configuration files required for filebeat (but not the prospectors)

Class: filebeat::install

Calls the correct installer class based on the kernel fact.

Class: filebeat::params

Sets default parameters for filebeat based on the OS and other facts.

Class: filebeat::repo

Installs the yum or apt repository for the system package manager to install filebeat.

Class: filebeat::service

Configures and manages the filebeat service.

Class: filebeat::install::linux

Install the filebeat package on Linux kernels.

Class: filebeat::install::windows

Downloads, extracts, and installs the filebeat zip file in Windows.

Public Defines

Define: filebeat::prospector

Installs a configuration file for a prospector.

Be sure to read the filebeat configuration details to fully understand what these parameters do.

Parameters for filebeat::prospector

  • ensure: The ensure parameter on the prospector configuration file. (default: present)
  • paths: [Array] The paths, or blobs that should be handled by the prospector. (required)
  • exclude_files: [Array] Files that match any regex in the list are excluded from filebeat (default: [])
  • encoding: [String] The file encoding. (default: plain)
  • input_type: [String] log or stdin - where filebeat reads the log from (default:log)
  • fields: [Hash] Optional fields to add information to the output (default: {})
  • fields_under_root: [Boolean] Should the fields parameter fields be stored at the top level of indexed documents.
  • ignore_older: [String] Files older than this field will be ignored by filebeat (default: 24h in filebeat < 1.2.0, infinite in filebeat >= 1.2.0)
  • close_older: [String] Files that haven't been modified since close_older, they'll be closed. New modifications will be read when files are scanned again according to scan_frequency. Introduced in filebeat 1.2.0 (default: 1h)
  • log_type: [String] (Deprecated - use doc_type) The document_type setting (optional - default: log)
  • doc_type: [String] The event type to used for published lines, used as type field in logstash and elasticsearch (optional - default: log)
  • scan_frequency: [String] How often should the prospector check for new files (default: 10s)
  • harvester_buffer_size: [Integer] The buffer size the harvester uses when fetching the file (default: 16384)
  • tail_files: [Boolean] If true, filebeat starts reading new files at the end instead of the beginning (default: false)
  • backoff: [String] How long filebeat should wait between scanning a file after reaching EOF (default: 1s)
  • max_backoff: [String] The maximum wait time to scan a file for new lines to ship (default: 10s)
  • backoff_factor: [Integer] backoff is multiplied by this parameter until max_backoff is reached to determine the actual backoff (default: 2)
  • partial_line_waiting: [String] How long should the prospector wait before shipping a file with a potentially incomplete last line (default: 5s)
  • force_close_files: [Boolean] Should filebeat forcibly close a file when renamed (default: false)
  • include_lines: [Array] A list of regular expressions to match the lines that you want to include. Ignored if empty (default: [])
  • exclude_lines: [Array] A list of regular expressions to match the files that you want to exclude. Ignored if empty (default: [])
  • max_bytes: [Integer] The maximum number of bytes that a single log message can have (default: 10485760)
  • multiline: [Hash] Options that control how Filebeat handles log messages that span multiple lines. See above. (default: {})

Limitations

This module doesn't load the elasticsearch index template into elasticsearch (required when shipping directly to elasticsearch).

Only filebeat versions after 1.0.0-rc1 are supported. 1.0.0-rc1 and older don't support YAML like the ruby template can easily generate.

When installing on Windows, there's an expectation that C:\Temp already exists, or an alternative location specified in the tmp_dir parameter exists and is writable by puppet. The temp directory is used to store the downloaded installer only.

Pre-1.9.1 Ruby

If you're on a system running a Ruby pre-1.9.1, hashes aren't sorted consistently, causing puppet runs to not be idempotent. To fix this, a limited template is used if the rubyversion is pre-1.9.1. The limited template only supports elasticsearch, logstash, file, and console outputs, and not all options may be supported (there is no warning when an option is omitted). Unlike with newer rubies, as new versions of filebeat are released, this template may not work until it's updated, even if you're using an updated configuration hash.

If you don't care about keeping puppet idempotent, this can be overridden by setting the conf_template parameter to 'filebeat/filebeat.yml.erb'.

See templates/filebeat.yml.ruby18.erb for the all of the details.

Using config_file

There are a few very specific use cases where you don't want this module to directly manage the filebeat configuration file, but you still want the configuration file on the system at a different location. Setting config_file will write the filebeat configuration file to an alternate location, but it will not update the init script. If you don't also manage the correct file (/etc/filebeat/filebeat.yml on Linux, C:/Program Files/Filebeat/filebeat.yml on Windows) then filebeat won't be able to start.

If you're copying the alternate config file location into the real location you'll need to include some metaparameters like

file { '/etc/filebeat/filebeat.yml':
  ensure  => file,
  source  => 'file:///etc/filebeat/filebeat.special',
  require => File['filebeat.yml'],
  notify  => Service['filebeat'],
}

to ensure that services are managed like you might expect.

Development

Pull requests and bug reports are welcome. If you're sending a pull request, please consider writing tests if applicable.