{ "name": "system", "title": "System", "version": "2.4.0", "release": "ga", "description": "Collect system logs and metrics from your servers with Elastic Agent.", "type": "integration", "download": "/epr/system/system-2.4.0.zip", "path": "/package/system/2.4.0", "icons": [ { "src": "/img/system.svg", "path": "/package/system/2.4.0/img/system.svg", "title": "system", "size": "1000x1000", "type": "image/svg+xml" } ], "conditions": { "kibana": { "version": "^8.17.0 || ^9.0.0" } }, "owner": { "type": "elastic", "github": "elastic/obs-infraobs-integrations" }, "categories": [ "os_system" ], "signature_path": "/epr/system/system-2.4.0.zip.sig", "format_version": "3.0.2", "readme": "/package/system/2.4.0/docs/README.md", "license": "basic", "screenshots": [ { "src": "/img/system-overview.png", "path": "/package/system/2.4.0/img/system-overview.png", "title": "system overview", "size": "3226x1956", "type": "image/png" }, { "src": "/img/host-overview.png", "path": "/package/system/2.4.0/img/host-overview.png", "title": "host overview", "size": "3258x5698", "type": "image/png" } ], "assets": [ "/package/system/2.4.0/LICENSE.txt", "/package/system/2.4.0/changelog.yml", "/package/system/2.4.0/manifest.yml", "/package/system/2.4.0/validation.yml", "/package/system/2.4.0/docs/README.md", "/package/system/2.4.0/img/host-overview.png", "/package/system/2.4.0/img/system-overview.png", "/package/system/2.4.0/img/system.svg", "/package/system/2.4.0/kibana/tags.yml", "/package/system/2.4.0/data_stream/application/manifest.yml", "/package/system/2.4.0/data_stream/auth/manifest.yml", "/package/system/2.4.0/data_stream/auth/sample_event.json", "/package/system/2.4.0/data_stream/core/manifest.yml", "/package/system/2.4.0/data_stream/cpu/manifest.yml", "/package/system/2.4.0/data_stream/diskio/manifest.yml", "/package/system/2.4.0/data_stream/filesystem/manifest.yml", "/package/system/2.4.0/data_stream/fsstat/manifest.yml", "/package/system/2.4.0/data_stream/load/manifest.yml", "/package/system/2.4.0/data_stream/memory/manifest.yml", "/package/system/2.4.0/data_stream/network/manifest.yml", "/package/system/2.4.0/data_stream/process/manifest.yml", "/package/system/2.4.0/data_stream/process/sample_event.json", "/package/system/2.4.0/data_stream/process_summary/manifest.yml", "/package/system/2.4.0/data_stream/security/manifest.yml", "/package/system/2.4.0/data_stream/security/sample_event.json", "/package/system/2.4.0/data_stream/socket_summary/manifest.yml", "/package/system/2.4.0/data_stream/syslog/manifest.yml", "/package/system/2.4.0/data_stream/syslog/sample_event.json", "/package/system/2.4.0/data_stream/system/manifest.yml", "/package/system/2.4.0/data_stream/uptime/manifest.yml", "/package/system/2.4.0/kibana/dashboard/system-0d3f2380-fa78-11e6-ae9b-81e5311e8cab.json", "/package/system/2.4.0/kibana/dashboard/system-277876d0-fa2c-11e6-bbd3-29c986c96e5a.json", "/package/system/2.4.0/kibana/dashboard/system-5517a150-f9ce-11e6-8115-a7c18106d86a.json", "/package/system/2.4.0/kibana/dashboard/system-71f720f0-ff18-11e9-8405-516218e3d268.json", "/package/system/2.4.0/kibana/dashboard/system-79ffd6e0-faa0-11e6-947f-177f697178b8.json", "/package/system/2.4.0/kibana/dashboard/system-Logs-syslog-dashboard.json", "/package/system/2.4.0/kibana/dashboard/system-Metrics-system-overview.json", "/package/system/2.4.0/kibana/dashboard/system-Windows-Dashboard.json", "/package/system/2.4.0/kibana/dashboard/system-bae11b00-9bfc-11ea-87e4-49f31ec44891.json", "/package/system/2.4.0/kibana/dashboard/system-bb858830-f412-11e9-8405-516218e3d268.json", "/package/system/2.4.0/kibana/dashboard/system-d401ef40-a7d5-11e9-a422-d144027429da.json", "/package/system/2.4.0/data_stream/application/fields/agent.yml", "/package/system/2.4.0/data_stream/application/fields/base-fields.yml", "/package/system/2.4.0/data_stream/application/fields/winlog.yml", "/package/system/2.4.0/data_stream/auth/fields/agent.yml", "/package/system/2.4.0/data_stream/auth/fields/base-fields.yml", "/package/system/2.4.0/data_stream/auth/fields/fields.yml", "/package/system/2.4.0/data_stream/core/fields/agent.yml", "/package/system/2.4.0/data_stream/core/fields/base-fields.yml", "/package/system/2.4.0/data_stream/core/fields/ecs.yml", "/package/system/2.4.0/data_stream/core/fields/fields.yml", "/package/system/2.4.0/data_stream/cpu/fields/agent.yml", "/package/system/2.4.0/data_stream/cpu/fields/base-fields.yml", "/package/system/2.4.0/data_stream/cpu/fields/ecs.yml", "/package/system/2.4.0/data_stream/cpu/fields/fields.yml", "/package/system/2.4.0/data_stream/diskio/fields/agent.yml", "/package/system/2.4.0/data_stream/diskio/fields/base-fields.yml", "/package/system/2.4.0/data_stream/diskio/fields/ecs.yml", "/package/system/2.4.0/data_stream/diskio/fields/fields.yml", "/package/system/2.4.0/data_stream/filesystem/fields/agent.yml", "/package/system/2.4.0/data_stream/filesystem/fields/base-fields.yml", "/package/system/2.4.0/data_stream/filesystem/fields/ecs.yml", "/package/system/2.4.0/data_stream/filesystem/fields/fields.yml", "/package/system/2.4.0/data_stream/fsstat/fields/agent.yml", "/package/system/2.4.0/data_stream/fsstat/fields/base-fields.yml", "/package/system/2.4.0/data_stream/fsstat/fields/ecs.yml", "/package/system/2.4.0/data_stream/fsstat/fields/fields.yml", "/package/system/2.4.0/data_stream/load/fields/agent.yml", "/package/system/2.4.0/data_stream/load/fields/base-fields.yml", "/package/system/2.4.0/data_stream/load/fields/ecs.yml", "/package/system/2.4.0/data_stream/load/fields/fields.yml", "/package/system/2.4.0/data_stream/memory/fields/agent.yml", "/package/system/2.4.0/data_stream/memory/fields/base-fields.yml", "/package/system/2.4.0/data_stream/memory/fields/ecs.yml", "/package/system/2.4.0/data_stream/memory/fields/fields.yml", "/package/system/2.4.0/data_stream/network/fields/agent.yml", "/package/system/2.4.0/data_stream/network/fields/base-fields.yml", "/package/system/2.4.0/data_stream/network/fields/ecs.yml", "/package/system/2.4.0/data_stream/network/fields/fields.yml", "/package/system/2.4.0/data_stream/process/fields/agent.yml", "/package/system/2.4.0/data_stream/process/fields/base-fields.yml", "/package/system/2.4.0/data_stream/process/fields/ecs.yml", "/package/system/2.4.0/data_stream/process/fields/fields.yml", "/package/system/2.4.0/data_stream/process_summary/fields/agent.yml", "/package/system/2.4.0/data_stream/process_summary/fields/base-fields.yml", "/package/system/2.4.0/data_stream/process_summary/fields/ecs.yml", "/package/system/2.4.0/data_stream/process_summary/fields/fields.yml", "/package/system/2.4.0/data_stream/security/fields/agent.yml", "/package/system/2.4.0/data_stream/security/fields/base-fields.yml", "/package/system/2.4.0/data_stream/security/fields/beats.yml", "/package/system/2.4.0/data_stream/security/fields/ecs.yml", "/package/system/2.4.0/data_stream/security/fields/fields.yml", "/package/system/2.4.0/data_stream/security/fields/winlog.yml", "/package/system/2.4.0/data_stream/socket_summary/fields/agent.yml", "/package/system/2.4.0/data_stream/socket_summary/fields/base-fields.yml", "/package/system/2.4.0/data_stream/socket_summary/fields/ecs.yml", "/package/system/2.4.0/data_stream/socket_summary/fields/fields.yml", "/package/system/2.4.0/data_stream/syslog/fields/agent.yml", "/package/system/2.4.0/data_stream/syslog/fields/base-fields.yml", "/package/system/2.4.0/data_stream/syslog/fields/fields.yml", "/package/system/2.4.0/data_stream/system/fields/agent.yml", "/package/system/2.4.0/data_stream/system/fields/base-fields.yml", "/package/system/2.4.0/data_stream/system/fields/winlog.yml", "/package/system/2.4.0/data_stream/uptime/fields/agent.yml", "/package/system/2.4.0/data_stream/uptime/fields/base-fields.yml", "/package/system/2.4.0/data_stream/uptime/fields/ecs.yml", "/package/system/2.4.0/data_stream/uptime/fields/fields.yml", "/package/system/2.4.0/data_stream/application/agent/stream/winlog.yml.hbs", "/package/system/2.4.0/data_stream/application/elasticsearch/ingest_pipeline/default.yml", "/package/system/2.4.0/data_stream/auth/agent/stream/journald.yml.hbs", "/package/system/2.4.0/data_stream/auth/agent/stream/log.yml.hbs", "/package/system/2.4.0/data_stream/auth/elasticsearch/ingest_pipeline/default.yml", "/package/system/2.4.0/data_stream/auth/elasticsearch/ingest_pipeline/journald.yml", "/package/system/2.4.0/data_stream/auth/elasticsearch/ingest_pipeline/log.yml", "/package/system/2.4.0/data_stream/core/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/cpu/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/diskio/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/filesystem/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/fsstat/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/load/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/memory/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/network/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/process/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/process/elasticsearch/ingest_pipeline/default.yml", "/package/system/2.4.0/data_stream/process_summary/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/security/agent/stream/winlog.yml.hbs", "/package/system/2.4.0/data_stream/security/elasticsearch/ingest_pipeline/default.yml", "/package/system/2.4.0/data_stream/security/elasticsearch/ingest_pipeline/standard.yml", "/package/system/2.4.0/data_stream/socket_summary/agent/stream/stream.yml.hbs", "/package/system/2.4.0/data_stream/syslog/agent/stream/journald.yml.hbs", "/package/system/2.4.0/data_stream/syslog/agent/stream/log.yml.hbs", "/package/system/2.4.0/data_stream/syslog/elasticsearch/ingest_pipeline/default.yml", "/package/system/2.4.0/data_stream/syslog/elasticsearch/ingest_pipeline/journald.yml", "/package/system/2.4.0/data_stream/syslog/elasticsearch/ingest_pipeline/log.yml", "/package/system/2.4.0/data_stream/system/agent/stream/winlog.yml.hbs", "/package/system/2.4.0/data_stream/system/elasticsearch/ingest_pipeline/default.yml", "/package/system/2.4.0/data_stream/uptime/agent/stream/stream.yml.hbs" ], "policy_templates": [ { "name": "system", "title": "System logs and metrics", "description": "Collect logs and metrics from System instances", "inputs": [ { "type": "logfile", "vars": [ { "name": "condition", "type": "text", "title": "Condition", "description": "Condition to filter when to apply this input. Refer to\n[Host provider](https://www.elastic.co/guide/en/fleet/current/host-provider.html)\nto find the available keys and to\n[Conditions](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html#conditions)\non how to use the available keys in conditions. It defaults to\n'${host.os_version} != \"12 (bookworm)\" and (${host.os_platform} != \"amzn\" or ${host.os_version} != \"2023\") and (${host.os_platform} != \"sles\" and startsWith(${host.os_version}, \"15\") == false)'\n", "multi": false, "required": false, "show_user": true, "default": "${host.os_version} != \"12 (bookworm)\" and (${host.os_platform} != \"amzn\" or ${host.os_version} != \"2023\") and (${host.os_platform} != \"sles\" and startsWith(${host.os_version}, \"15\") == false)" } ], "title": "Collect logs from System instances", "description": "Collecting System auth and syslog logs from files" }, { "type": "journald", "vars": [ { "name": "condition", "type": "text", "title": "Condition", "description": "Condition to filter when to apply this input. Refer to\n[Host provider](https://www.elastic.co/guide/en/fleet/current/host-provider.html)\nto find the available keys and to\n[Conditions](https://www.elastic.co/guide/en/fleet/current/dynamic-input-configuration.html#conditions)\non how to use the available keys in conditions. It defaults to\n'${host.os_version} == \"12 (bookworm)\" or (${host.os_platform} == \"amzn\" and ${host.os_version} == \"2023\") or (${host.os_platform} == \"sles\" and startsWith(${host.os_version}, \"15\") == true)'\n", "multi": false, "required": false, "show_user": true, "default": "${host.os_version} == \"12 (bookworm)\" or (${host.os_platform} == \"amzn\" and ${host.os_version} == \"2023\") or (${host.os_platform} == \"sles\" and startsWith(${host.os_version}, \"15\") == true)" } ], "title": "Collect logs from System instances using Journald", "description": "Collecting System auth and syslog logs using Journald" }, { "type": "winlog", "title": "Collect events from the Windows event log", "description": "Collecting events from Windows event log" }, { "type": "system/metrics", "vars": [ { "name": "system.hostfs", "type": "text", "title": "Proc Filesystem Directory", "description": "The proc filesystem base directory.", "multi": false, "required": false, "show_user": true } ], "title": "Collect metrics from System instances", "description": "Collecting System core, CPU, diskio, entropy, filesystem, fsstat, load, memory, network, Network Summary, process, Process Summary, raid, service, socket, Socket Summary, uptime and users metrics" } ], "multiple": true } ], "data_streams": [ { "type": "logs", "dataset": "system.application", "title": "Windows Application Events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Application", "description": "Collect Windows application logs", "enabled": true, "ingestion_method": "API" } ], "package": "system", "path": "application" }, { "type": "logs", "dataset": "system.auth", "title": "System auth logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true, "default": [ "/var/log/auth.log*", "/var/log/secure*" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false, "default": [ "system-auth" ] }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false } ], "template_path": "log.yml.hbs", "title": "System auth logs (log)", "description": "Collect System auth logs using log input", "enabled": true, "ingestion_method": "File" }, { "input": "journald", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "paths", "type": "text", "title": "Journal paths", "description": "List of journals to read from. Defaults to the system journal.\n", "multi": true, "required": false, "show_user": false }, { "name": "include_matches", "type": "text", "title": "Include Matches", "description": "A list of filter expressions used to select the logs to read (e.g. `_SYSTEMD_UNIT=vault.service`). Defaults to all logs. See [include_matches](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-journald.html#filebeat-input-journald-include-matches) for details. The logs are already filtered by the following syslog facilities: 4, 10, so any filter added here will be added to this existing filter.\n", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags to include in the published event.\n", "multi": true, "required": false, "show_user": false } ], "template_path": "journald.yml.hbs", "title": "System auth logs (journald)", "description": "Collect System auth logs using journald input", "enabled": true, "ingestion_method": "journald" } ], "package": "system", "agent": { "privileges": { "root": true } }, "path": "auth" }, { "type": "metrics", "dataset": "system.core", "title": "System core metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "core.metrics", "type": "text", "title": "Core Metrics", "description": "How to report core metrics. Can be \"percentages\" or \"ticks\"\n", "multi": true, "required": true, "show_user": true, "default": [ "percentages" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "use_performance_counters", "type": "bool", "title": "Use performance counters", "description": "This option enables the use of performance counters to collect data. You should use this option if running agent on Windows machines with more than 64 cores", "multi": false, "required": false, "show_user": false, "default": false } ], "template_path": "stream.yml.hbs", "title": "System core metrics", "description": "Collect System core metrics", "enabled": false, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "core" }, { "type": "metrics", "dataset": "system.cpu", "title": "System cpu metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "cpu.metrics", "type": "text", "title": "Cpu Metrics", "description": "How to report CPU metrics. Can be \"percentages\", \"normalized_percentages\", or \"ticks\"\n", "multi": true, "required": true, "show_user": true, "default": [ "percentages", "normalized_percentages" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "use_performance_counters", "type": "bool", "title": "Use performance counters", "description": "This option enables the use of performance counters to collect data. You should use this option if running agent on Windows machines with more than 64 cores", "multi": false, "required": false, "show_user": false, "default": false } ], "template_path": "stream.yml.hbs", "title": "System cpu metrics", "description": "Collect System cpu metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "cpu" }, { "type": "metrics", "dataset": "system.diskio", "title": "System diskio metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "diskio.include_devices", "type": "text", "title": "Include Devices", "description": "Provide a specific list of devices to monitor. By default, all devices are monitored.\n", "multi": true, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System diskio metrics", "description": "Collect System diskio metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "agent": { "privileges": { "root": true } }, "path": "diskio" }, { "type": "metrics", "dataset": "system.filesystem", "title": "System filesystem metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "filesystem.ignore_types", "type": "text", "title": "List of filesystem types to ignore", "description": "The filesystem datastream will ignore any filesystems with a matching type as specified here. By default, this will exclude any filesystems marked as \"nodev\" in /proc/filesystems on linux.\n", "multi": true, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata.\n", "multi": false, "required": true, "show_user": false, "default": "- drop_event.when.regexp:\n system.filesystem.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)\n" } ], "template_path": "stream.yml.hbs", "title": "System filesystem metrics", "description": "Collect System filesystem metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "filesystem" }, { "type": "metrics", "dataset": "system.fsstat", "title": "System fsstat metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "1m" }, { "name": "filesystem.ignore_types", "type": "text", "title": "Filesystem types to ignore", "description": "Specifies filesystem types that should be ignored. By default, it filters out filesystems marked as \"nodev\" in `/proc/filesystems` on Linux systems.\n", "multi": true, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with external metadata.\n", "multi": false, "required": true, "show_user": true, "default": "- drop_event.when.regexp:\n system.fsstat.mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib|snap)($|/)\n" } ], "template_path": "stream.yml.hbs", "title": "System fsstat metrics", "description": "Collect System fsstat metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "fsstat" }, { "type": "metrics", "dataset": "system.load", "title": "System load metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System load metrics", "description": "Collect System load metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "load" }, { "type": "metrics", "dataset": "system.memory", "title": "System memory metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System memory metrics", "description": "Collect System memory metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "memory" }, { "type": "metrics", "dataset": "system.network", "title": "System network metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "network.interfaces", "type": "text", "title": "Interfaces", "description": "List of interfaces to monitor. Will monitor all by default.\n", "multi": true, "required": false, "show_user": true }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System network metrics", "description": "Collect System network metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "network" }, { "type": "metrics", "dataset": "system.process", "title": "System process metrics", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "process.include_top_n.by_cpu", "type": "integer", "title": "Process Include Top N By Cpu", "description": "Include the top N processes by CPU usage.\n", "multi": false, "required": true, "show_user": true, "default": 5 }, { "name": "process.include_top_n.by_memory", "type": "integer", "title": "Process Include Top N By Memory", "description": "Include the top N processes by memory usage.\n", "multi": false, "required": true, "show_user": true, "default": 5 }, { "name": "process.cmdline.cache.enabled", "type": "bool", "title": "Enable cmdline cache", "description": "If false, cmdline of a process is not cached.\n", "multi": false, "required": false, "show_user": true, "default": true }, { "name": "process.cgroups.enabled", "type": "bool", "title": "Enable cgroup reporting", "description": "Enable collection of cgroup metrics from processes on Linux.\n", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "process.env.whitelist", "type": "text", "title": "Env whitelist", "description": "A list of regular expressions used to whitelist environment variables reported with the process metricset's events. Defaults to empty.\n", "multi": true, "required": false, "show_user": true }, { "name": "process.include_cpu_ticks", "type": "bool", "title": "Include CPU Ticks", "description": "Include the cumulative CPU tick values with the process metrics.\n", "multi": false, "required": false, "show_user": true, "default": false }, { "name": "degrade_on_partial", "type": "bool", "title": "Mark system/metrics as degraded when partial metrics are encountered", "description": "When running in unprivileged mode, the `process` and `process_summary` metricsets might emit incomplete metrics because some metrics require elevated privileges and may be missing as a result.\nTo help identify potential permission-related issues, you can enable this configuration option. If providing the necessary access is not possible, disabling this option will ensure that the metricsets remain healthy and functional.\n", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "processes", "type": "text", "title": "Processes", "description": "A glob to match reported processes. By default all processes are reported.\n", "multi": true, "required": true, "show_user": true, "default": [ ".*" ] }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System process metrics", "description": "Collect System process metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": { "ingest_pipeline.name": "default" }, "path": "process" }, { "type": "metrics", "dataset": "system.process.summary", "title": "System process_summary metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "degrade_on_partial", "type": "bool", "title": "Mark system/metrics as degraded when partial metrics are encountered", "description": "When running in unprivileged mode, the `process` and `process_summary` metricsets might emit incomplete metrics because some metrics require elevated privileges and may be missing as a result.\nTo help identify potential permission-related issues, you can enable this configuration option. If providing the necessary access is not possible, disabling this option will ensure that the metricsets remain healthy and functional.\n", "multi": false, "required": false, "show_user": false, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System process_summary metrics", "description": "Collect System process_summary metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "process_summary" }, { "type": "logs", "dataset": "system.security", "title": "Security logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "Security", "description": "Security channel", "enabled": true, "ingestion_method": "API" } ], "package": "system", "path": "security" }, { "type": "metrics", "dataset": "system.socket_summary", "title": "System socket_summary metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System socket_summary metrics", "description": "Collect System socket_summary metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "socket_summary" }, { "type": "logs", "dataset": "system.syslog", "title": "System syslog logs", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "logfile", "vars": [ { "name": "paths", "type": "text", "title": "Paths", "multi": true, "required": true, "show_user": true, "default": [ "/var/log/messages*", "/var/log/syslog*", "/var/log/system*" ] }, { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "exclude_files", "type": "text", "title": "Exclude files", "description": "Regular expression patterns in [RE2 syntax](https://github.com/google/re2/wiki/Syntax) matching files to exclude from input. See [exclude_files](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-log.html#filebeat-input-log-exclude-files) for details.", "multi": true, "required": false, "show_user": false, "default": [ "\\.gz$" ] } ], "template_path": "log.yml.hbs", "title": "System syslog logs (log)", "description": "Collect System syslog logs using log input", "enabled": true, "ingestion_method": "File" }, { "input": "journald", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original event, added to the field `event.original`.", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "paths", "type": "text", "title": "Journal paths", "description": "List of journals to read from. Defaults to the system journal.\n", "multi": true, "required": false, "show_user": false }, { "name": "include_matches", "type": "text", "title": "Include Matches", "description": "A list of filter expressions used to select the logs to read (e.g. `_SYSTEMD_UNIT=vault.service`). Defaults to all logs. See [include_matches](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-journald.html#filebeat-input-journald-include-matches) for details. The logs are already filtered by the following syslog facilities: 0, 1, 2, 3, 5, 6, 7, 8, 9, 11, 12, 15, so any filter added here will be added to this existing filter.\n", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n", "multi": false, "required": false, "show_user": false }, { "name": "tags", "type": "text", "title": "Tags", "description": "Tags to include in the published event.\n", "multi": true, "required": false, "show_user": false } ], "template_path": "journald.yml.hbs", "title": "System syslog logs (journald)", "description": "Collect System syslog logs using journald input", "enabled": true, "ingestion_method": "journald" } ], "package": "system", "agent": { "privileges": { "root": true } }, "path": "syslog" }, { "type": "logs", "dataset": "system.system", "title": "Windows System Events", "release": "ga", "ingest_pipeline": "default", "streams": [ { "input": "winlog", "vars": [ { "name": "preserve_original_event", "type": "bool", "title": "Preserve original event", "description": "Preserves a raw copy of the original XML event, added to the field `event.original`", "multi": false, "required": true, "show_user": true, "default": false }, { "name": "event_id", "type": "text", "title": "Event ID", "description": "A list of included and excluded (blocked) event IDs. The value is a comma-separated list. The accepted values are single event IDs to include (e.g. 4624), a range of event IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). Limit 22 clauses, lower in some situations. See integration documentation for more details.", "multi": false, "required": false, "show_user": false }, { "name": "ignore_older", "type": "text", "title": "Ignore events older than", "description": "If this option is specified, events that are older than the specified amount of time are ignored. Valid time units are \"ns\", \"us\" (or \"µs\"), \"ms\", \"s\", \"m\", \"h\".", "multi": false, "required": false, "show_user": false, "default": "72h" }, { "name": "language", "type": "text", "title": "Language ID", "description": "The language ID the events will be rendered in. The language will be forced regardless of the system language. A complete list of language IDs can be found https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here]. It defaults to `0`, which indicates to use the system language. E.g.: 0x0409 for en-US", "multi": false, "required": false, "show_user": false, "default": 0 }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false }, { "name": "custom", "type": "yaml", "title": "Custom Configurations", "description": "YAML configuration options for winlog input. Be careful, this may break the integration.", "multi": false, "required": false, "show_user": false, "default": "# Winlog configuration example\n#batch_read_size: 100" } ], "template_path": "winlog.yml.hbs", "title": "System", "description": "Collect Windows system logs", "enabled": true, "ingestion_method": "API" } ], "package": "system", "path": "system" }, { "type": "metrics", "dataset": "system.uptime", "title": "System uptime metrics", "release": "ga", "streams": [ { "input": "system/metrics", "vars": [ { "name": "period", "type": "text", "title": "Period", "multi": false, "required": true, "show_user": true, "default": "10s" }, { "name": "tags", "type": "text", "title": "Tags", "multi": true, "required": false, "show_user": false }, { "name": "processors", "type": "yaml", "title": "Processors", "description": "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.", "multi": false, "required": false, "show_user": false } ], "template_path": "stream.yml.hbs", "title": "System uptime metrics", "description": "Collect System uptime metrics", "enabled": true, "ingestion_method": "File" } ], "package": "system", "elasticsearch": {}, "path": "uptime" } ] }