-
-
Notifications
You must be signed in to change notification settings - Fork 67
Example Filebeat Configuration
Jason Ish edited this page May 21, 2020
·
3 revisions
This is an example Filebeat configuration for sending Suricata events directly to Elasticsearch. The Filebeat index template will be used.
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/suricata/eve.json
# Make the event the root object, instead of under the "json" key.
json.keys_under_root: true
# This is supposed to overwrite the filebeat root keys with the event root
# keys, but it doesn't seem to overwite the "host" field.
#
# The host field is where Suricata stores the sensor_name.
overwrite_keys: true
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["elasticsearch:9200"]Example usage:
./bin/filebeat -f filebeat.yml