-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
) Also fix typo in winlogbeat load-ingest-pipelines doc. (cherry picked from commit 842c77c) Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
- Loading branch information
1 parent
f5cde3c
commit c7ec8f6
Showing
5 changed files
with
81 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
[[load-ingest-pipelines]] | ||
== Load ingest pipelines | ||
|
||
{beatname_uc} modules are implemented using {es} ingest node | ||
pipelines. The events receive their transformations within | ||
{es}. The ingest node pipelines must be loaded | ||
into {es}. This can happen one of several ways. | ||
|
||
[id="{beatname_lc}-load-pipeline-auto"] | ||
[float] | ||
=== On connection to {es} | ||
|
||
{beatname_uc} will send ingest pipelines automatically to {es} if the | ||
{es} output is enabled. | ||
|
||
Make sure the user specified in +{beatname_lc}.yml+ is | ||
<<privileges-to-setup-beats,authorized to set up {beatname_uc}>>. | ||
|
||
If {beatname_uc} is sending events to {ls} or another output you need | ||
to load the ingest pipelines with the `setup` command or manually. | ||
|
||
[id="{beatname_lc}-load-pipeline-manual"] | ||
[float] | ||
=== Manually install pipelines | ||
|
||
Pipelines can be loaded them into {es} with the `_ingest/pipeline` REST API | ||
call. The user making the REST API call will need to have the `ingest_admin` | ||
role assigned to them. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
[id="{beatname_lc}-modules"] | ||
[role="xpack"] | ||
= Modules | ||
|
||
[partintro] | ||
-- | ||
This section contains detailed information about the available network packet | ||
log processing modules contained in {beatname_uc}. | ||
|
||
{beatname_uc} modules are implemented using Elasticsearch Ingest Node pipelines. | ||
The events receive their transformations within Elasticsearch. All events are | ||
sent through {beatname_uc}'s "routing" pipeline that routes events to specific | ||
module pipelines based on their network protocol. | ||
|
||
{beatname_uc}'s default config file contains the option to send all events to | ||
the routing pipeline. If you remove this option then the module processing | ||
will not be applied. | ||
|
||
[source,yaml,subs="attributes"] | ||
---- | ||
output.elasticsearch.pipeline: packetbeat-%{[agent.version]}-routing | ||
---- | ||
|
||
The general goal of each module is to transform events by renaming fields to | ||
comply with the {ecs-ref}/index.html[Elastic Common Schema] (ECS). The modules | ||
may also apply additional categorization, tagging, and parsing as necessary. | ||
about how to configure the language in `packetbeat`, refer to <<configuration-packetbeat-options>>. | ||
|
||
[id="{beatname_lc}-modules-setup"] | ||
[float] | ||
=== Setup of Ingest Node pipelines | ||
|
||
{beatname_uc}'s Ingest Node pipelines must be installed to Elasticsearch if you | ||
want to apply the module processing to events. The simplest way to get started | ||
is to use the Elasticsearch output and {beatname_uc} will automatically install | ||
the pipelines when it first connects to Elasticsearch. | ||
|
||
Installation Methods | ||
|
||
1. <<{beatname_lc}-load-pipeline-auto>> | ||
2. <<{beatname_lc}-load-pipeline-manual>> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters