#jinja2: lstrip_blocks: "True" # https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html filebeat.modules: - module: system syslog: enabled: true auth: enabled: true {% if filebeat_postgres_enabled | default(false) %} - module: postgresql log: enabled: true {% endif %} {% if filebeat_maria_enabled | default(false) %} - module: mysql error: enabled: true slowlog: enabled: true {% endif -%} {% if filebeat_inputs is defined %} filebeat.inputs: {% for filebeat_input in filebeat_inputs %} - type: {{ filebeat_input.type }} paths: {% for path in filebeat_input.paths %} - {{ path }} {% endfor %} {%+ if filebeat_input.fields is defined -%} fields: {% for field in filebeat_input.fields %} {{ field }}: {{ filebeat_input.fields[field] }} {% endfor %} {% endif %} {% endfor %} {% endif %} {% if docker_enabled | default(true) %} filebeat.autodiscover: providers: - type: docker hints.enabled: true templates: - condition: contains: docker.container.image: smardigo config: - type: container paths: - /var/lib/docker/containers/${data.docker.container.id}/*.log multiline.pattern: '^{|^[0-9]{4}-[0-9]{2}-[0-9]{2}' multiline.negate: true multiline.match: after {% endif %} fields: stage: {{ stage }} hostname: {{ inventory_hostname }} {% if pass_tenant_id is defined | default(false) %} pass_tenant_id: {{ pass_tenant_id }} {% endif %} # reducing network traffic by removing unused fields # avoiding docker.container.labels with [] crashing logstash processors: - drop_fields: fields: - agent - container.id - docker - ecs - host - log - stream ignore_missing: yes output.logstash: hosts: ["{{ shared_service_elastic_stack_logstash_01_hostname }}:5044"] ssl: certificate_authorities: - /usr/share/filebeat/config/certificates/ca/ca.crt certificate: /usr/share/filebeat/config/certificates/{{ filebeat_certificate }}/{{ filebeat_certificate }}.crt key: /usr/share/filebeat/config/certificates/{{ filebeat_certificate }}/{{ filebeat_certificate }}.key