I was wondering if it is possible to have a conf.d type folder for filebeat to create multiple input items. I know I can list them all in filebeat.yml but that isn't preferable. I also don't think it makes sense to use a module like syslog if they are application logs. If someone wants to correct me, feel free to
I don't know if this works before 6.4.x, but in the latest versions you can put the following in filebeat.yml:
filebeat.config:
inputs:
enabled: true
path: inputs.d/*.yml
reload.enabled: true
reload.period: 10s
And then have multiple files under inputs.d like this:
/etc
|- filebeat
|- inputs.d
|- log_mailoney.yml
|- log_snort.yml
|- log_suricata_eve.yml
The contents of the files in inputs.d can be as simple as this:
# Suricata EVE JSON Logs
- type: log
enabled: true
paths:
- /var/log/suricata/eve.json
fields:
event.type: suricata_eve
fields_under_root: true
How did I miss this? Thanks, this solves my issue!
Just wanted to add that loading external config files has been supported for quite awhile (see the docs), but it looks like we never updated the docs to show path: inputs.d/*.yml instead of path: configs/*.yml. I'll update the docs so the config example matches what people expect. Thanks!
Thanks a bunch!!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.