How does elastic agent configure filebeat

I've installed an agent and added a custom log integration to the policy. It's working but I'm wondering if there's some documentation which tells me:
How does the agent configure filebeat? I searched in the filesystem for a configuration file but couldn't find one with my settings. So how does filebeat know that it needs to read an additional file?

Are you using Fleet to mange your agents right?

This is all done by fleet, it will create the configuration needed for each input, then send it to the agent, the configuration is stored encrypted in the agent data path.

Yes, I'm using Fleet.
But how does filebeat get the configuration? Is it able to read this encrypted data?

This is done by the Elastic Agent binary, I don't think this is documented, but basically the Elastic Agent will receive the integrations from fleet and will start the necessary inputs, depending on the integration it may start a filebeat process, or a packetbeat process, or a metricbeat process, it depends on the integration.

I could see the processes that were started by the Elastic Agent and I understand that the Elastic Agent gets its config from Fleet. But how does filebeat get its config from the Elastic Agent? Using a config-file?

/opt/Elastic/Agent/data/elastic-agent-8d7885/install/filebeat-8.4.1-linux-x86_64/filebeat -E setup.ilm.enabled=false -E setup.template.enabled=false -E management.enabled=true -E logging.level=debug -E gc_percent=${FILEBEAT_GOGC:100} -E filebeat.config.modules.enabled=false -E logging.level=info -E http.enabled=true -E -E logging.files.path=/opt/Elastic/Agent/data/elastic-agent-8d7885/logs/default -E -E logging.files.keepfiles=7 -E logging.files.permission=0640 -E logging.files.interval=1h -E

There's nothing like a -c option to point to a config file or so.

This is not documented, you would need to see if someone from Elastic answer this or look at the Elastic Agent code to try to understand.

But I wouldn't expect the filebeat, or any other beat, process started by the Elastic Agent to behave the same way that a standalone beat, so you may not need the -c option because the configuration may be passed to the filebeat sub-process in another way.

Hi @mbby (and HI @leandrojmp)

@mbby I am trying to understand what you are trying to accomplish, understand or correct.

Yes, in general, Elastic Agent shares similarities/code with filebeat (and other beats), but there has been significant work under the covers of how integrations are configured, loaded executed etc. in Elastic Agent

So no, there is no direct one-to-one mapping on how beats/modules are configured and executed.

That said, many of the configuration settings are the same etc.

If you want to learn more about how the Agent Work / see what is going on, I would look at the Elastic Agent commands

In particular, elastic-agent inspect

There is also a troubleshooting section that can provide insight of what is being configured etc.

Hi Stephen,
it looks like the Elastic Agent is spinning up a filebeat process. But how does filebeat get it's config from the Elastic Agent?

Hi @mbby

Again, I'll ask you what you're actually trying to understand/accomplish?

If you want to understand the actual process, you're going to need to look at the code. All of our code is open and you can see it.

It's a multi-step process, I gave you the command so that you can inspect and see what's actually passed to. It's not as just as simple as a Copying a file. The config gets generated from several components comes down through the network and then through memory and eventually gets persisted I believe.

Ah. Thanks. This answers my question.
Will have a look at the command and the code today.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.