This page covers configuration for Elastic Beats (Metricbeat, Filebeat, Heartbeat, etc.).
| Beat | Configuration File |
|---|---|
| Metricbeat | /etc/metricbeat/metricbeat.yml |
| Filebeat | /etc/filebeat/filebeat.yml |
| Heartbeat | /etc/heartbeat/heartbeat.yml |
| Auditbeat | /etc/auditbeat/auditbeat.yml |
| Winlogbeat | C:\ProgramData\elastic\beats\winlogbeat\winlogbeat.yml |
Beats use modules to collect specific types of data:
metricbeat.modules:
- module: system
metricsets:
- cpu
- memory
- network
- diskio
period: 10s
processes: ['.*']
- module: docker
metricsets:
- container
- cpu
- memory
hosts: ["unix:///var/run/docker.sock"]
period: 10s
Elasticsearch Output:
output.elasticsearch:
hosts: ["https://elasticsearch:9200"]
username: "elastic"
password: "your_password"
protocol: "https"
ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
Logstash Output:
output.logstash:
hosts: ["logstash:5044"]
ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/metricbeat
name: metricbeat.log
keepfiles: 7
permissions: 0644
| Option | Description | Default |
|---|---|---|
period |
How often to collect metrics | 10s |
enabled |
Enable/disable module | true |
hosts |
Target hosts for collection | varies |
metrics.period |
Period for internal metrics | 10s |
max_procs |
Maximum CPU cores to use | all |
Beats supports environment variable substitution:
output.elasticsearch:
hosts: ["${ELASTICSEARCH_HOST:localhost}:9200"]
username: "${ELASTICSEARCH_USER}"
password: "${ELASTICSEARCH_PASSWORD}"
Test your configuration before deploying:
# Test configuration
sudo metricbeat test config
# Test output connection
sudo metricbeat test output
# Run with config test
sudo metricbeat -c /etc/metricbeat/metricbeat.yml -configtest
After modifying configuration:
# Reload configuration (systemd)
sudo systemctl reload metricbeat
# Or restart service
sudo systemctl restart metricbeat
Verify metrics are being collected:
# Check service status
sudo systemctl status metricbeat
# View logs
sudo journalctl -u metricbeat -f
# Query Elasticsearch for documents
curl -X GET "localhost:9200/metricbeat-*/_search?size=1"