Can someone explain Beats Architecture?

cmpsoares · October 25, 2017, 1:21pm

Hello,

We're analysing the Beats for custom beat developments, and I was wondering if someone can explain the architecture under the hood?

I remember to see a diagram of it (from an old version) but was not able to find it anymore and imagine it changed significantly.

Thank you very much.

Best regards,
Carlos SOARES.

steffens · October 25, 2017, 1:46pm

For 5.x releases have a look at this talk.

cmpsoares · October 26, 2017, 4:44pm

Hello,

Thank you very much!
Are there already some resources available for version 6.X?

Best regards,
Carlos SOARES.

steffens · October 27, 2017, 1:03pm

No resources for 6.0 yet. Architecture is mostly the same (libbeat diagram is pretty high level ). Some common functionality has been moved to libbeat + output interfaces have been updated/simplified (somewhat internal API).

filebeat removes spooler + publisher workers (filebeat publishing has become async, making use of spooling/buffering in libbeat itself) -> libbeat notifies the registrar
winlogbeat 6.0 uses async publishing pipeline -> libbeat notifies registrar
no 'big' changes in metricbeat/haertbeat. Auditbeat uses metricbeat as framework
packetbeat no real change (I think flows publisher worker has been removed)

system · November 24, 2017, 1:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.