Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add configuration example and improve reference #42125

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 42 additions & 10 deletions filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -770,25 +770,57 @@ filebeat.inputs:
# Journald input is experimental.
#- type: journald
#enabled: true
#id: service-foo

# You may wish to have separate inputs for each service. You can use
# include_matches.or to specify a list of filter expressions that are
# applied as a logical OR. You may specify filter
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service
# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id

# List of syslog identifiers
#syslog_identifiers: ["audit"]
# Specify paths to read from custom journal files.
# Leave it unset to read the system's journal
# Glob based paths.
#paths:
#- /var/log/custom.journal

# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head

# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h

# Collect events from the service and messages about the service,
# including coredumps.
#units: ["docker.service"]
#units:
#- docker.service

# List of syslog identifiers
#syslog_identifiers: ["audit"]

# The list of transports (_TRANSPORT field of journald entries)
#transports: ["audit"]

# Parsers are also supported, here is an example of the multiline
# Filter logs by facilities, they must be specified using their numeric code.
#facilities:
#- 1
#- 2

# You may wish to have separate inputs for each service. You can use
# include_matches.or to specify a list of filter expressions that are
# applied as a logical OR.
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service

# Uses the original hostname of the entry instead of the one
# from the host running jounrald
#save_remote_hostname: false

# Parsers are also supported, the possible parsers are:
# container, include_message, multiline, ndjson, syslog.
# Here is an example of the multiline
# parser.
#parsers:
#- multiline:
Expand Down
23 changes: 23 additions & 0 deletions filebeat/_meta/config/filebeat.inputs.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,26 @@ filebeat.inputs:
#fields:
# level: debug
# review: 1

# journald is an input for collecting logs from Journald
- type: journald

# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id

# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head

# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h

# Collect events from the service and messages about the service,
# including coredumps.
#units:
#- docker.service
52 changes: 42 additions & 10 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1183,25 +1183,57 @@ filebeat.inputs:
# Journald input is experimental.
#- type: journald
#enabled: true
#id: service-foo

# You may wish to have separate inputs for each service. You can use
# include_matches.or to specify a list of filter expressions that are
# applied as a logical OR. You may specify filter
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service
# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id

# List of syslog identifiers
#syslog_identifiers: ["audit"]
# Specify paths to read from custom journal files.
# Leave it unset to read the system's journal
# Glob based paths.
#paths:
#- /var/log/custom.journal

# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head

# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h

# Collect events from the service and messages about the service,
# including coredumps.
#units: ["docker.service"]
#units:
#- docker.service

# List of syslog identifiers
#syslog_identifiers: ["audit"]

# The list of transports (_TRANSPORT field of journald entries)
#transports: ["audit"]

# Parsers are also supported, here is an example of the multiline
# Filter logs by facilities, they must be specified using their numeric code.
#facilities:
#- 1
#- 2

# You may wish to have separate inputs for each service. You can use
# include_matches.or to specify a list of filter expressions that are
# applied as a logical OR.
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service

# Uses the original hostname of the entry instead of the one
# from the host running jounrald
#save_remote_hostname: false

# Parsers are also supported, the possible parsers are:
# container, include_message, multiline, ndjson, syslog.
# Here is an example of the multiline
# parser.
#parsers:
#- multiline:
Expand Down
23 changes: 23 additions & 0 deletions filebeat/filebeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,29 @@ filebeat.inputs:
# level: debug
# review: 1

# journald is an input for collecting logs from Journald
- type: journald

# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id

# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head

# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h

# Collect events from the service and messages about the service,
# including coredumps.
#units:
#- docker.service

# ============================== Filebeat modules ==============================

filebeat.config.modules:
Expand Down
52 changes: 42 additions & 10 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2867,25 +2867,57 @@ filebeat.inputs:
# Journald input is experimental.
#- type: journald
#enabled: true
#id: service-foo

# You may wish to have separate inputs for each service. You can use
# include_matches.or to specify a list of filter expressions that are
# applied as a logical OR. You may specify filter
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service
# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id

# List of syslog identifiers
#syslog_identifiers: ["audit"]
# Specify paths to read from custom journal files.
# Leave it unset to read the system's journal
# Glob based paths.
#paths:
#- /var/log/custom.journal

# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head

# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h

# Collect events from the service and messages about the service,
# including coredumps.
#units: ["docker.service"]
#units:
#- docker.service

# List of syslog identifiers
#syslog_identifiers: ["audit"]

# The list of transports (_TRANSPORT field of journald entries)
#transports: ["audit"]

# Parsers are also supported, here is an example of the multiline
# Filter logs by facilities, they must be specified using their numeric code.
#facilities:
#- 1
#- 2

# You may wish to have separate inputs for each service. You can use
# include_matches.or to specify a list of filter expressions that are
# applied as a logical OR.
#include_matches.match:
#- _SYSTEMD_UNIT=foo.service

# Uses the original hostname of the entry instead of the one
# from the host running jounrald
#save_remote_hostname: false

# Parsers are also supported, the possible parsers are:
# container, include_message, multiline, ndjson, syslog.
# Here is an example of the multiline
# parser.
#parsers:
#- multiline:
Expand Down
23 changes: 23 additions & 0 deletions x-pack/filebeat/filebeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,29 @@ filebeat.inputs:
# level: debug
# review: 1

# journald is an input for collecting logs from Journald
- type: journald

# Unique ID among all inputs, if the ID changes, all entries
# will be re-ingested
id: my-journald-id

# The position to start reading from the journal, valid options are:
# - head: Starts reading at the beginning of the journal.
# - tail: Starts reading at the end of the journal.
# This means that no events will be sent until a new message is written.
# - since: Use also the `since` option to determine when to start reading from.
#seek: head

# A time offset from the current time to start reading from.
# To use since, seek option must be set to since.
#since: -24h

# Collect events from the service and messages about the service,
# including coredumps.
#units:
#- docker.service

# ============================== Filebeat modules ==============================

filebeat.config.modules:
Expand Down
Loading