From e142ceabf2154c97e7cb7c6b6708ad5e2ae94e01 Mon Sep 17 00:00:00 2001
From: DeDe Morton <dede.morton@elastic.co>
Date: Mon, 2 Mar 2020 11:19:13 -0800
Subject: [PATCH] [7.6][docs] Backport: Restructure module docs (#16571)
 (#16712)

---
 filebeat/docs/include/gs-link.asciidoc        |  2 +
 filebeat/docs/modules/activemq.asciidoc       |  4 +-
 filebeat/docs/modules/apache.asciidoc         | 20 ++--
 filebeat/docs/modules/auditd.asciidoc         | 24 ++---
 filebeat/docs/modules/aws.asciidoc            |  2 +
 filebeat/docs/modules/azure.asciidoc          | 26 +++---
 filebeat/docs/modules/cef.asciidoc            |  2 +-
 filebeat/docs/modules/cisco.asciidoc          | 18 ++--
 filebeat/docs/modules/coredns.asciidoc        | 18 +++-
 filebeat/docs/modules/elasticsearch.asciidoc  |  6 +-
 filebeat/docs/modules/envoyproxy.asciidoc     |  4 +-
 filebeat/docs/modules/googlecloud.asciidoc    |  2 +-
 filebeat/docs/modules/haproxy.asciidoc        | 22 ++---
 filebeat/docs/modules/ibmmq.asciidoc          | 23 +++--
 filebeat/docs/modules/icinga.asciidoc         | 20 ++--
 filebeat/docs/modules/iis.asciidoc            | 20 ++--
 filebeat/docs/modules/iptables.asciidoc       | 30 +++---
 filebeat/docs/modules/kafka.asciidoc          | 20 ++--
 filebeat/docs/modules/kibana.asciidoc         |  5 +-
 filebeat/docs/modules/logstash.asciidoc       | 26 +++---
 filebeat/docs/modules/misp.asciidoc           |  2 +
 filebeat/docs/modules/mongodb.asciidoc        | 20 ++--
 filebeat/docs/modules/mssql.asciidoc          |  6 +-
 filebeat/docs/modules/mysql.asciidoc          | 20 ++--
 filebeat/docs/modules/nats.asciidoc           | 20 ++--
 filebeat/docs/modules/netflow.asciidoc        |  2 +-
 filebeat/docs/modules/nginx.asciidoc          | 20 ++--
 filebeat/docs/modules/osquery.asciidoc        | 22 +++--
 filebeat/docs/modules/panw.asciidoc           | 92 +++++++++----------
 filebeat/docs/modules/postgresql.asciidoc     | 33 ++++---
 filebeat/docs/modules/rabbitmq.asciidoc       |  4 +-
 filebeat/docs/modules/redis.asciidoc          | 20 ++--
 filebeat/docs/modules/santa.asciidoc          | 22 ++---
 filebeat/docs/modules/suricata.asciidoc       | 20 ++--
 filebeat/docs/modules/system.asciidoc         | 20 ++--
 filebeat/docs/modules/traefik.asciidoc        | 22 ++---
 filebeat/docs/modules/zeek.asciidoc           |  2 +
 filebeat/module/apache/_meta/docs.asciidoc    | 20 ++--
 filebeat/module/auditd/_meta/docs.asciidoc    | 24 ++---
 .../module/elasticsearch/_meta/docs.asciidoc  |  6 +-
 filebeat/module/haproxy/_meta/docs.asciidoc   | 22 ++---
 filebeat/module/icinga/_meta/docs.asciidoc    | 20 ++--
 filebeat/module/iis/_meta/docs.asciidoc       | 20 ++--
 filebeat/module/kafka/_meta/docs.asciidoc     | 20 ++--
 filebeat/module/kibana/_meta/docs.asciidoc    |  5 +-
 filebeat/module/logstash/_meta/docs.asciidoc  | 26 +++---
 filebeat/module/mongodb/_meta/docs.asciidoc   | 20 ++--
 filebeat/module/mysql/_meta/docs.asciidoc     | 20 ++--
 filebeat/module/nats/_meta/docs.asciidoc      | 20 ++--
 filebeat/module/nginx/_meta/docs.asciidoc     | 20 ++--
 filebeat/module/osquery/_meta/docs.asciidoc   | 22 +++--
 .../module/postgresql/_meta/docs.asciidoc     | 33 ++++---
 filebeat/module/redis/_meta/docs.asciidoc     | 20 ++--
 filebeat/module/santa/_meta/docs.asciidoc     | 22 ++---
 filebeat/module/system/_meta/docs.asciidoc    | 20 ++--
 filebeat/module/traefik/_meta/docs.asciidoc   | 22 ++---
 filebeat/scripts/module/_meta/docs.asciidoc   | 21 ++---
 .../template-test-module/_meta/docs.asciidoc  | 21 ++---
 .../module/activemq/_meta/docs.asciidoc       |  4 +-
 .../filebeat/module/aws/_meta/docs.asciidoc   |  2 +
 .../filebeat/module/azure/_meta/docs.asciidoc | 26 +++---
 .../filebeat/module/cef/_meta/docs.asciidoc   |  2 +-
 .../filebeat/module/cisco/_meta/docs.asciidoc | 18 ++--
 .../module/coredns/_meta/docs.asciidoc        | 18 +++-
 .../module/envoyproxy/_meta/docs.asciidoc     |  4 +-
 .../module/googlecloud/_meta/docs.asciidoc    |  2 +-
 .../filebeat/module/ibmmq/_meta/docs.asciidoc | 23 +++--
 .../module/iptables/_meta/docs.asciidoc       | 30 +++---
 .../filebeat/module/misp/_meta/docs.asciidoc  |  2 +
 .../filebeat/module/mssql/_meta/docs.asciidoc |  6 +-
 .../module/netflow/_meta/docs.asciidoc        |  2 +-
 .../filebeat/module/panw/_meta/docs.asciidoc  | 92 +++++++++----------
 .../module/rabbitmq/_meta/docs.asciidoc       |  4 +-
 .../module/suricata/_meta/docs.asciidoc       | 20 ++--
 .../filebeat/module/zeek/_meta/docs.asciidoc  |  2 +
 75 files changed, 670 insertions(+), 652 deletions(-)
 create mode 100644 filebeat/docs/include/gs-link.asciidoc

diff --git a/filebeat/docs/include/gs-link.asciidoc b/filebeat/docs/include/gs-link.asciidoc
new file mode 100644
index 000000000000..38b22e54a5de
--- /dev/null
+++ b/filebeat/docs/include/gs-link.asciidoc
@@ -0,0 +1,2 @@
+TIP: Read the <<filebeat-modules-quickstart,quick start>> to learn how to set up and
+run modules.
\ No newline at end of file
diff --git a/filebeat/docs/modules/activemq.asciidoc b/filebeat/docs/modules/activemq.asciidoc
index 1a6af0771596..1fffb68c2d9b 100644
--- a/filebeat/docs/modules/activemq.asciidoc
+++ b/filebeat/docs/modules/activemq.asciidoc
@@ -16,13 +16,13 @@ This module parses Apache ActiveMQ logs. It supports application and audit logs.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.
 
-include::../include/running-modules.asciidoc[]
-
 include::../include/configuring-intro.asciidoc[]
 
 :fileset_ex: log
diff --git a/filebeat/docs/modules/apache.asciidoc b/filebeat/docs/modules/apache.asciidoc
index 7a15fc611f83..351394379d20 100644
--- a/filebeat/docs/modules/apache.asciidoc
+++ b/filebeat/docs/modules/apache.asciidoc
@@ -13,6 +13,8 @@ https://httpd.apache.org/[Apache HTTP] server.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -21,16 +23,6 @@ The +{modulename}+ module was tested with logs from versions 2.2.22 and 2.4.23.
 On Windows, the module was tested with Apache HTTP Server installed from the Chocolatey
 repository.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-apache.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -86,6 +78,14 @@ Add %v config in httpd.conf in log section
     LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 -----
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-apache.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/auditd.asciidoc b/filebeat/docs/modules/auditd.asciidoc
index 0bffbfd3844d..f24f087e514c 100644
--- a/filebeat/docs/modules/auditd.asciidoc
+++ b/filebeat/docs/modules/auditd.asciidoc
@@ -13,6 +13,8 @@ The +{modulename}+ module collects and parses logs from the audit daemon
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -21,18 +23,6 @@ The +{modulename}+ module was tested with logs from `auditd` on OSes like CentOS
 
 This module is not available for Windows.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard showing an overview of the audit log
-data. You can build more specific dashboards that are tailored to the audit
-rules that you use on your systems.
-
-[role="screenshot"]
-image::./images/kibana-audit-auditd.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -67,6 +57,16 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard showing an overview of the audit log
+data. You can build more specific dashboards that are tailored to the audit
+rules that you use on your systems.
+
+[role="screenshot"]
+image::./images/kibana-audit-auditd.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc
index 79daf4a1865a..8efffd1fdaf4 100644
--- a/filebeat/docs/modules/aws.asciidoc
+++ b/filebeat/docs/modules/aws.asciidoc
@@ -23,6 +23,8 @@ from network interfaces in AWS VPC. ELB access logs captures detailed informatio
 about requests sent to the load balancer. CloudTrail logs contain events
 that represent actions taken by a user, role or AWS service.
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Module configuration
 
diff --git a/filebeat/docs/modules/azure.asciidoc b/filebeat/docs/modules/azure.asciidoc
index da75817ad03b..5d52e33beace 100644
--- a/filebeat/docs/modules/azure.asciidoc
+++ b/filebeat/docs/modules/azure.asciidoc
@@ -8,20 +8,18 @@ This file is generated! See scripts/docs_collector.py
 :modulename: azure
 :has-dashboards: false
 
-== azure module
+== Azure module
 
 beta[]
 
-This is the azure module.
-
-The azure module will concentrate on retrieving different types of log data from Azure.
+The azure module retrieves different types of log data from Azure.
 There are several requirements before using the module since the logs will actually be read from azure event hubs.
 
    - the logs have to be exported first to the event hubs https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create-kafka-enabled
    - to export activity logs to event hubs users can follow the steps here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export
    - to export audit and sign-in logs to event hubs users can follow the steps here https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub
 
-The module will contain the following filesets:
+The module contains the following filesets:
 
 `activitylogs` ::
 Will retrieve azure activity logs. Control-plane events on Azure Resource Manager resources. Activity logs provide insight into the operations that were performed on resources in your subscription.
@@ -32,14 +30,6 @@ Will retrieve azure Active Directory sign-in logs. The sign-ins report provides
 `auditlogs` ::
 Will retrieve azure Active Directory audit logs. The audit logs provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
 
-[float]
-=== Dashboards
-
-The azure module comes with several predefined dashboards for general cloud overview, user activity and alerts. For example:
-
-image::./images/filebeat-azure-overview.png[]
-
-
 [float]
 === Module configuration
 
@@ -100,14 +90,22 @@ The name of the storage account the state/offsets will be stored and updated.
 _string_
 The storage account key, this key will be used to authorize access to data in your storage account.
 
-
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 TODO: document with what versions of the software is this tested
 
+[float]
+=== Dashboards
+
+The azure module comes with several predefined dashboards for general cloud overview, user activity and alerts. For example:
+
+image::./images/filebeat-azure-overview.png[]
+
 
 
 
diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc
index 8d77f1478530..08b3e65481cc 100644
--- a/filebeat/docs/modules/cef.asciidoc
+++ b/filebeat/docs/modules/cef.asciidoc
@@ -18,7 +18,7 @@ encoded data. The decoded data is written into a `cef` object field. Lastly any
 Elastic Common Schema (ECS) fields that can be populated with the CEF data are
 populated.
 
-include::../include/running-modules.asciidoc[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/filebeat/docs/modules/cisco.asciidoc b/filebeat/docs/modules/cisco.asciidoc
index 571256fc3c04..b25161bd2f1b 100644
--- a/filebeat/docs/modules/cisco.asciidoc
+++ b/filebeat/docs/modules/cisco.asciidoc
@@ -36,15 +36,7 @@ Check the <<dynamic-script-compilations>> section for more information.
 
 include::../include/what-happens.asciidoc[]
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard for ASA:
-
-[role="screenshot"]
-image::./images/kibana-cisco-asa.png[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
@@ -307,6 +299,14 @@ parameters on your Elasticsearch cluster:
 - {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache_max_size]:
   Increase to at least `200` if using both filesets or other script-heavy modules.
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard for ASA:
+
+[role="screenshot"]
+image::./images/kibana-cisco-asa.png[]
+
 :modulename!:
 
 
diff --git a/filebeat/docs/modules/coredns.asciidoc b/filebeat/docs/modules/coredns.asciidoc
index ef2aa91826d0..2977b70aef1c 100644
--- a/filebeat/docs/modules/coredns.asciidoc
+++ b/filebeat/docs/modules/coredns.asciidoc
@@ -13,19 +13,19 @@ This file is generated! See scripts/docs_collector.py
 This is a filebeat module for CoreDNS. It supports both standalone CoreDNS deployment and
 CoreDNS deployment in Kubernetes.
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 Although this module has been developed against Kubernetes v1.13.x, it is expected to work
 with other versions of Kubernetes.
 
-[float]
-=== Example dashboard
+include::../include/configuring-intro.asciidoc[]
 
-This module comes with a sample dashboard.
+:fileset_ex: log
 
-[role="screenshot"]
-image::./images/kibana-coredns.jpg[]
+include::../include/config-option-intro.asciidoc[]
 
 [float]
 ==== `log` fileset settings
@@ -47,6 +47,14 @@ include::../include/var-paths.asciidoc[]
 
 An array of tags describing the monitored CoreDNS setup.
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard.
+
+[role="screenshot"]
+image::./images/kibana-coredns.jpg[]
+
 
 [float]
 === Fields
diff --git a/filebeat/docs/modules/elasticsearch.asciidoc b/filebeat/docs/modules/elasticsearch.asciidoc
index 730dcd0177ab..9a0ded684d9f 100644
--- a/filebeat/docs/modules/elasticsearch.asciidoc
+++ b/filebeat/docs/modules/elasticsearch.asciidoc
@@ -14,15 +14,13 @@ This is the elasticsearch module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The Elasticsearch module is compatible with Elasticsearch 6.2 and newer.
 
-
-include::../include/running-modules.asciidoc[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
 :fileset_ex: server
diff --git a/filebeat/docs/modules/envoyproxy.asciidoc b/filebeat/docs/modules/envoyproxy.asciidoc
index 246ffb15f3a2..3d3478c28192 100644
--- a/filebeat/docs/modules/envoyproxy.asciidoc
+++ b/filebeat/docs/modules/envoyproxy.asciidoc
@@ -10,7 +10,9 @@ This file is generated! See scripts/docs_collector.py
 
 == Envoyproxy Module
 
-This is a filebeat module for Envoy proxy access log (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). It supports both standalone deployment and Envoy proxy deployment in Kubernetes. 
+This is a Filebeat module for Envoy proxy access log (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). It supports both standalone deployment and Envoy proxy deployment in Kubernetes. 
+
+include::../include/gs-link.asciidoc[]
 
 [float]
 === Compatibility
diff --git a/filebeat/docs/modules/googlecloud.asciidoc b/filebeat/docs/modules/googlecloud.asciidoc
index 047030f1be9f..cc6e4747355e 100644
--- a/filebeat/docs/modules/googlecloud.asciidoc
+++ b/filebeat/docs/modules/googlecloud.asciidoc
@@ -18,7 +18,7 @@ Google Pub/Sub topic sink.
 
 include::../include/what-happens.asciidoc[]
 
-include::../include/running-modules.asciidoc[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/filebeat/docs/modules/haproxy.asciidoc b/filebeat/docs/modules/haproxy.asciidoc
index e9771af8429e..f3e185abbd5a 100644
--- a/filebeat/docs/modules/haproxy.asciidoc
+++ b/filebeat/docs/modules/haproxy.asciidoc
@@ -12,6 +12,8 @@ The +{modulename}+ module collects and parses logs from a (`haproxy`) process.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -19,17 +21,6 @@ The +{modulename}+ module was tested with logs from `haproxy` running on AWS Lin
 
 This module is not available for Windows.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard showing geolocation, distribution of requests between backends and frontends,
-and status codes over time. For example:
-
-[role="screenshot"]
-image::./images/kibana-haproxy-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The module is by default configured to run via syslog on port 9001. However
@@ -56,6 +47,15 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard showing geolocation, distribution of requests between backends and frontends,
+and status codes over time. For example:
+
+[role="screenshot"]
+image::./images/kibana-haproxy-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/ibmmq.asciidoc b/filebeat/docs/modules/ibmmq.asciidoc
index 456d03727e99..052e22848482 100644
--- a/filebeat/docs/modules/ibmmq.asciidoc
+++ b/filebeat/docs/modules/ibmmq.asciidoc
@@ -13,25 +13,15 @@ The `ibmmq` module collects and parses the queue manager error logs from IBM MQ
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 This module has been tested with IBM MQ v9.1.0.0, but it should be compatible with older versions.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/filebeat-ibmmq.png[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
-
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
 file to override the default paths for IBM MQ errorlog:
 
@@ -42,6 +32,7 @@ file to override the default paths for IBM MQ errorlog:
     enabled: true
     var.paths: ["C:/ibmmq/logs/*.log"]
 -----
+
 :fileset_ex: errorlog
 
 include::../include/config-option-intro.asciidoc[]
@@ -51,6 +42,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/filebeat-ibmmq.png[]
+
 :fileset_ex!:
 
 :modulename!:
diff --git a/filebeat/docs/modules/icinga.asciidoc b/filebeat/docs/modules/icinga.asciidoc
index d490f652e731..206a86cb811d 100644
--- a/filebeat/docs/modules/icinga.asciidoc
+++ b/filebeat/docs/modules/icinga.asciidoc
@@ -13,6 +13,8 @@ https://www.icinga.com/products/icinga-2/[Icinga].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -21,16 +23,6 @@ systems.
 
 This module is not available for macOS.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-icinga-main.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -81,6 +73,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-icinga-main.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/iis.asciidoc b/filebeat/docs/modules/iis.asciidoc
index 32c7defc34e9..52fdda10a818 100644
--- a/filebeat/docs/modules/iis.asciidoc
+++ b/filebeat/docs/modules/iis.asciidoc
@@ -13,21 +13,13 @@ Internet Information Services (IIS) HTTP server.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The IIS module was tested with logs from version 7.5 and version 10.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-iis.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -67,6 +59,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-iis.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/iptables.asciidoc b/filebeat/docs/modules/iptables.asciidoc
index c9e9714fa60b..9858d0d7fcd3 100644
--- a/filebeat/docs/modules/iptables.asciidoc
+++ b/filebeat/docs/modules/iptables.asciidoc
@@ -25,21 +25,7 @@ When you run the module, it performs a few tasks under the hood:
 
 * Deploys dashboards for visualizing the log data.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with sample dashboards showing geolocation and network
-protocols used. One for all iptables logs:
-
-[role="screenshot"]
-image::./images/kibana-iptables.png[]
-
-and one specific for Ubiquiti Firewall logs:
-
-[role="screenshot"]
-image::./images/kibana-iptables-ubiquiti.png[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
@@ -77,6 +63,20 @@ NOTE: Ports below 1024 require Filebeat to run as root.
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards showing geolocation and network
+protocols used. One for all iptables logs:
+
+[role="screenshot"]
+image::./images/kibana-iptables.png[]
+
+and one specific for Ubiquiti Firewall logs:
+
+[role="screenshot"]
+image::./images/kibana-iptables-ubiquiti.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/kafka.asciidoc b/filebeat/docs/modules/kafka.asciidoc
index f9f621067134..d9319b43b508 100644
--- a/filebeat/docs/modules/kafka.asciidoc
+++ b/filebeat/docs/modules/kafka.asciidoc
@@ -13,21 +13,13 @@ https://kafka.apache.org/[Kafka].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from versions 0.9, 1.1.0 and 2.0.0.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard to see Kafka logs and stack traces.
-
-[role="screenshot"]
-image::./images/filebeat-kafka-logs-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -79,6 +71,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard to see Kafka logs and stack traces.
+
+[role="screenshot"]
+image::./images/filebeat-kafka-logs-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/kibana.asciidoc b/filebeat/docs/modules/kibana.asciidoc
index 5eb36a13fe4e..089936d60897 100644
--- a/filebeat/docs/modules/kibana.asciidoc
+++ b/filebeat/docs/modules/kibana.asciidoc
@@ -14,14 +14,13 @@ This is the Kibana module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The Kibana modules is compatible with Kibana 6.3 and newer.
 
-include::../include/running-modules.asciidoc[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
 //set the fileset name used in the included file
diff --git a/filebeat/docs/modules/logstash.asciidoc b/filebeat/docs/modules/logstash.asciidoc
index 8776e2d1a880..2a9ace71d1b7 100644
--- a/filebeat/docs/modules/logstash.asciidoc
+++ b/filebeat/docs/modules/logstash.asciidoc
@@ -13,6 +13,8 @@ and the JSON format (--log.format json). The default is the plain text format.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 The +{modulename}+ module has two filesets:
 
 * The `log` fileset collects and parses the logs that Logstash writes to disk.
@@ -29,19 +31,6 @@ The Logstash `log` fileset was tested with logs from Logstash 5.6 and 6.0.
 
 The Logstash `slowlog` fileset was tested with logs from Logstash 5.6 and 6.0
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-===  Example dashboards
-
-This module comes with two sample dashboards.
-
-[role="screenshot"]
-image::./images/kibana-logstash-log.png[]
-
-[role="screenshot"]
-image::./images/kibana-logstash-slowlog.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -96,6 +85,17 @@ default is `plain`.
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+===  Example dashboards
+
+This module comes with two sample dashboards.
+
+[role="screenshot"]
+image::./images/kibana-logstash-log.png[]
+
+[role="screenshot"]
+image::./images/kibana-logstash-slowlog.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/misp.asciidoc b/filebeat/docs/modules/misp.asciidoc
index 4460a4432564..53d44ba51376 100644
--- a/filebeat/docs/modules/misp.asciidoc
+++ b/filebeat/docs/modules/misp.asciidoc
@@ -19,6 +19,8 @@ The configuration in the config.yml file uses the following format:
  * var.api_key: specifies the API key to access MISP.
  * var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
  * var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
+ 
+include::../include/gs-link.asciidoc[]
 
 [float]
 === Example dashboard
diff --git a/filebeat/docs/modules/mongodb.asciidoc b/filebeat/docs/modules/mongodb.asciidoc
index b70cb2bf5b05..57959c74d1a5 100644
--- a/filebeat/docs/modules/mongodb.asciidoc
+++ b/filebeat/docs/modules/mongodb.asciidoc
@@ -13,21 +13,13 @@ https://www.mongodb.com/[MongoDB].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from versions v3.2.11 on Debian.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with one sample dashboard including error and regular logs.
-
-[role="screenshot"]
-image::./images/filebeat-mongodb-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -61,6 +53,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with one sample dashboard including error and regular logs.
+
+[role="screenshot"]
+image::./images/filebeat-mongodb-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/mssql.asciidoc b/filebeat/docs/modules/mssql.asciidoc
index 4442766a1ecc..fdcc52fd567d 100644
--- a/filebeat/docs/modules/mssql.asciidoc
+++ b/filebeat/docs/modules/mssql.asciidoc
@@ -12,10 +12,10 @@ The +{modulename}+ module parses error logs created by MSSQL.
 
 include::../include/what-happens.asciidoc[]
 
-[float]
-=== Compatibility
+include::../include/gs-link.asciidoc[]
 
-include::../include/running-modules.asciidoc[]
+//[float]
+//=== Compatibility
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/filebeat/docs/modules/mysql.asciidoc b/filebeat/docs/modules/mysql.asciidoc
index c04f8afa0b06..5e384157f940 100644
--- a/filebeat/docs/modules/mysql.asciidoc
+++ b/filebeat/docs/modules/mysql.asciidoc
@@ -13,6 +13,8 @@ created by https://www.mysql.com/[MySQL].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -22,16 +24,6 @@ MariaDB 10.1, 10.2 and 10.3, and Percona 5.7 and 8.0.
 On Windows, the module was tested with MySQL installed from the Chocolatey
 repository.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-mysql.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -73,6 +65,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-mysql.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/nats.asciidoc b/filebeat/docs/modules/nats.asciidoc
index f0e595c7c026..90fca8be1bef 100644
--- a/filebeat/docs/modules/nats.asciidoc
+++ b/filebeat/docs/modules/nats.asciidoc
@@ -12,22 +12,13 @@ This is the nats module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from version v1.4.0.
 
-
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Dashboard
-
-The Nats module comes with a predefined dashboard. For example:
-
-image::./images/filebeat_nats_dashboard.png[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
 
@@ -41,6 +32,13 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Dashboard
+
+The Nats module comes with a predefined dashboard. For example:
+
+image::./images/filebeat_nats_dashboard.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/netflow.asciidoc b/filebeat/docs/modules/netflow.asciidoc
index f23088c70feb..016e48f3e9ef 100644
--- a/filebeat/docs/modules/netflow.asciidoc
+++ b/filebeat/docs/modules/netflow.asciidoc
@@ -18,7 +18,7 @@ This module wraps the <<filebeat-input-netflow,netflow input>> to enrich the
 flow records with geolocation information about the IP endpoints by using
 Elasticsearch Ingest Node.
 
-include::../include/running-modules.asciidoc[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/filebeat/docs/modules/nginx.asciidoc b/filebeat/docs/modules/nginx.asciidoc
index 5e65820905b1..450832b12b72 100644
--- a/filebeat/docs/modules/nginx.asciidoc
+++ b/filebeat/docs/modules/nginx.asciidoc
@@ -14,6 +14,8 @@ http://nginx.org/[Nginx] HTTP server.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -22,16 +24,6 @@ The Nginx module was tested with logs from version 1.10.
 On Windows, the module was tested with Nginx installed from the Chocolatey
 repository.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-nginx.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -76,6 +68,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-nginx.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/osquery.asciidoc b/filebeat/docs/modules/osquery.asciidoc
index b06c232c010b..eee95195a558 100644
--- a/filebeat/docs/modules/osquery.asciidoc
+++ b/filebeat/docs/modules/osquery.asciidoc
@@ -16,6 +16,8 @@ driver (the default). Make sure UTC timestamps are enabled.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 
 [float]
 === Compatibility
@@ -26,16 +28,6 @@ works with any version of osquery.
 
 This module is available on Linux, macOS, and Windows.
 
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard for visualizing the data collected by
-the "compliance" pack. To collect this data, enable the `id-compliance` pack in
-the osquery configuration file.
-
-[role="screenshot"]
-image::./images/kibana-osquery-compatibility.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -74,6 +66,16 @@ setting also disables the renaming of some fields (e.g. `hostIdentifier` to
 `host_identifier`).  Note that if you set this to false, the sample dashboards
 coming with this module won't work correctly. The default is true.
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard for visualizing the data collected by
+the "compliance" pack. To collect this data, enable the `id-compliance` pack in
+the osquery configuration file.
+
+[role="screenshot"]
+image::./images/kibana-osquery-compatibility.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/panw.asciidoc b/filebeat/docs/modules/panw.asciidoc
index 139300cb6065..a2cb33b4c993 100644
--- a/filebeat/docs/modules/panw.asciidoc
+++ b/filebeat/docs/modules/panw.asciidoc
@@ -16,6 +16,8 @@ This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received
 over Syslog or read from a file. It currently supports messages of Traffic and
 Threat types.
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -25,7 +27,50 @@ versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.
 The {plugins}/ingest-geoip.html[ingest-geoip]
 Elasticsearch plugin is required to run this module.
 
-include::../include/running-modules.asciidoc[]
+include::../include/configuring-intro.asciidoc[]
+
+The module is by default configured to run via syslog on port 9001. However
+it can also be configured to read logs from a file. See the following example.
+
+["source","yaml",subs="attributes"]
+-----
+- module: panw
+  panos:
+    enabled: true
+    var.paths: ["/var/log/pan-os.log"]
+    var.input: "file"
+-----
+
+:fileset_ex: panos
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `panos` fileset settings
+
+Example config:
+
+[source,yaml]
+----
+  panos:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 514
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.syslog_host`*::
+
+The interface to listen to UDP based syslog traffic. Defaults to `localhost`.
+Set to `0.0.0.0` to bind to all available interfaces.
+
+*`var.syslog_port`*::
+
+The UDP port to listen for syslog traffic. Defaults to `9001`
+
+NOTE: Ports below 1024 require {beatname_uc} to run as root.
+
+include::../include/timezone-support.asciidoc[]
 
 [float]
 === ECS field mappings
@@ -134,51 +179,6 @@ image::./images/filebeat-panw-traffic.png[]
 [role="screenshot"]
 image::./images/filebeat-panw-threat.png[]
 
-include::../include/configuring-intro.asciidoc[]
-
-The module is by default configured to run via syslog on port 9001. However
-it can also be configured to read logs from a file. See the following example.
-
-["source","yaml",subs="attributes"]
------
-- module: panw
-  panos:
-    enabled: true
-    var.paths: ["/var/log/pan-os.log"]
-    var.input: "file"
------
-
-:fileset_ex: panos
-
-include::../include/config-option-intro.asciidoc[]
-
-[float]
-==== `panos` fileset settings
-
-Example config:
-
-[source,yaml]
-----
-  panos:
-    var.syslog_host: 0.0.0.0
-    var.syslog_port: 514
-----
-
-include::../include/var-paths.asciidoc[]
-
-*`var.syslog_host`*::
-
-The interface to listen to UDP based syslog traffic. Defaults to `localhost`.
-Set to `0.0.0.0` to bind to all available interfaces.
-
-*`var.syslog_port`*::
-
-The UDP port to listen for syslog traffic. Defaults to `9001`
-
-NOTE: Ports below 1024 require {beatname_uc} to run as root.
-
-include::../include/timezone-support.asciidoc[]
-
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/postgresql.asciidoc b/filebeat/docs/modules/postgresql.asciidoc
index d13a54d11c58..4392af35aa2d 100644
--- a/filebeat/docs/modules/postgresql.asciidoc
+++ b/filebeat/docs/modules/postgresql.asciidoc
@@ -13,29 +13,14 @@ https://www.postgresql.org/[PostgreSQL].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from versions 9.5 on Ubuntu and 9.6
 on Debian.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboards
-
-This module comes with two sample dashboards.
-
-The first dashboard is for regular logs.
-
-[role="screenshot"]
-image::./images/filebeat-postgresql-overview.png[]
-
-The second one shows the slowlogs of PostgreSQL.
-
-[role="screenshot"]
-image::./images/filebeat-postgresql-slowlog-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -69,6 +54,20 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboards
+
+This module comes with two sample dashboards.
+
+The first dashboard is for regular logs.
+
+[role="screenshot"]
+image::./images/filebeat-postgresql-overview.png[]
+
+The second one shows the slowlogs of PostgreSQL.
+
+[role="screenshot"]
+image::./images/filebeat-postgresql-slowlog-overview.png[]
 
 :has-dashboards!:
 
diff --git a/filebeat/docs/modules/rabbitmq.asciidoc b/filebeat/docs/modules/rabbitmq.asciidoc
index df3c0e472fbe..8262be44f5f4 100644
--- a/filebeat/docs/modules/rabbitmq.asciidoc
+++ b/filebeat/docs/modules/rabbitmq.asciidoc
@@ -12,6 +12,8 @@ This is the module for parsing https://www.rabbitmq.com/logging.html[RabbitMQ lo
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -19,8 +21,6 @@ Parses https://www.rabbitmq.com/logging.html[single file format] introduced in 3
 
 Tested with version 3.7.14.
 
-include::../include/running-modules.asciidoc[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
diff --git a/filebeat/docs/modules/redis.asciidoc b/filebeat/docs/modules/redis.asciidoc
index 8f6ce589bfb2..d5db3311e85c 100644
--- a/filebeat/docs/modules/redis.asciidoc
+++ b/filebeat/docs/modules/redis.asciidoc
@@ -13,6 +13,8 @@ https://redis.io/[Redis].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 The +{modulename}+ module has two filesets:
 
 * The `log` fileset collects and parses the logs that Redis writes to disk.  
@@ -36,16 +38,6 @@ On Windows, the default paths assume that Redis was installed from the Chocolate
 The Redis `slowlog` fileset was tested with Redis 3.0.2 and 2.4.6. We expect compatibility with any
 Redis version newer than 2.2.12, when the SLOWLOG command was added.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-redis.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -98,6 +90,14 @@ left empty, `localhost:6379` is assumed.
 The password to use to connect to Redis, in case Redis authentication is enabled
 (the `requirepass` option in the Redis configuration).
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-redis.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/santa.asciidoc b/filebeat/docs/modules/santa.asciidoc
index 7f7f2594e359..73da4fe43619 100644
--- a/filebeat/docs/modules/santa.asciidoc
+++ b/filebeat/docs/modules/santa.asciidoc
@@ -15,6 +15,8 @@ binaries.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -22,17 +24,6 @@ The +{modulename}+ module was tested with logs from Santa 0.9.14.
 
 This module is available for MacOS only.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard showing and overview of the processes
-that are executing.
-
-[role="screenshot"]
-image::./images/kibana-santa-log-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The module is by default configured to read logs from `/var/log/santa.log`.
@@ -56,6 +47,15 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard showing and overview of the processes
+that are executing.
+
+[role="screenshot"]
+image::./images/kibana-santa-log-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/suricata.asciidoc b/filebeat/docs/modules/suricata.asciidoc
index 1ce9a62c7b51..a0c9bd5ddfce 100644
--- a/filebeat/docs/modules/suricata.asciidoc
+++ b/filebeat/docs/modules/suricata.asciidoc
@@ -16,22 +16,14 @@ Suricata Eve JSON format].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 This module has been developed against Suricata v4.0.4, but is expected to work
 with other versions of Suricata.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-suricata.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 This is an example of how to overwrite the default log file path.
@@ -53,6 +45,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-suricata.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/system.asciidoc b/filebeat/docs/modules/system.asciidoc
index 7d5ed4c4d6a2..8e1332500177 100644
--- a/filebeat/docs/modules/system.asciidoc
+++ b/filebeat/docs/modules/system.asciidoc
@@ -13,6 +13,8 @@ service of common Unix/Linux based distributions.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -21,16 +23,6 @@ macOS Sierra.
 
 This module is not available for Windows.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboards
-
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-system.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -76,6 +68,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboards
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-system.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/traefik.asciidoc b/filebeat/docs/modules/traefik.asciidoc
index 7ec5b2bb952a..84d0c49d96c9 100644
--- a/filebeat/docs/modules/traefik.asciidoc
+++ b/filebeat/docs/modules/traefik.asciidoc
@@ -13,18 +13,10 @@ https://traefik.io/[Træfik].
 
 include::../include/what-happens.asciidoc[]
 
-[float]
-=== Compatibility
-
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboards
+include::../include/gs-link.asciidoc[]
 
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-traefik.png[]
+//[float]
+//=== Compatibility
 
 include::../include/configuring-intro.asciidoc[]
 
@@ -58,6 +50,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboards
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-traefik.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/docs/modules/zeek.asciidoc b/filebeat/docs/modules/zeek.asciidoc
index b06670bae7cd..6df419f6034d 100644
--- a/filebeat/docs/modules/zeek.asciidoc
+++ b/filebeat/docs/modules/zeek.asciidoc
@@ -13,6 +13,8 @@ This file is generated! See scripts/docs_collector.py
 This is a module for Zeek, which used to be called Bro. It parses logs that are in the
 https://www.zeek.org/manual/release/logs/index.html[Zeek JSON format].
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
diff --git a/filebeat/module/apache/_meta/docs.asciidoc b/filebeat/module/apache/_meta/docs.asciidoc
index 3cfb71c1000d..0fb35de57c0c 100644
--- a/filebeat/module/apache/_meta/docs.asciidoc
+++ b/filebeat/module/apache/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ https://httpd.apache.org/[Apache HTTP] server.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -16,16 +18,6 @@ The +{modulename}+ module was tested with logs from versions 2.2.22 and 2.4.23.
 On Windows, the module was tested with Apache HTTP Server installed from the Chocolatey
 repository.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-apache.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -81,6 +73,14 @@ Add %v config in httpd.conf in log section
     LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
 -----
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-apache.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/auditd/_meta/docs.asciidoc b/filebeat/module/auditd/_meta/docs.asciidoc
index 74a16f93be7f..0d62f16715fe 100644
--- a/filebeat/module/auditd/_meta/docs.asciidoc
+++ b/filebeat/module/auditd/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ The +{modulename}+ module collects and parses logs from the audit daemon
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -16,18 +18,6 @@ The +{modulename}+ module was tested with logs from `auditd` on OSes like CentOS
 
 This module is not available for Windows.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard showing an overview of the audit log
-data. You can build more specific dashboards that are tailored to the audit
-rules that you use on your systems.
-
-[role="screenshot"]
-image::./images/kibana-audit-auditd.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -62,6 +52,16 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard showing an overview of the audit log
+data. You can build more specific dashboards that are tailored to the audit
+rules that you use on your systems.
+
+[role="screenshot"]
+image::./images/kibana-audit-auditd.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/elasticsearch/_meta/docs.asciidoc b/filebeat/module/elasticsearch/_meta/docs.asciidoc
index 0f41f3366514..219037bafb96 100755
--- a/filebeat/module/elasticsearch/_meta/docs.asciidoc
+++ b/filebeat/module/elasticsearch/_meta/docs.asciidoc
@@ -9,15 +9,13 @@ This is the elasticsearch module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The Elasticsearch module is compatible with Elasticsearch 6.2 and newer.
 
-
-include::../include/running-modules.asciidoc[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
 :fileset_ex: server
diff --git a/filebeat/module/haproxy/_meta/docs.asciidoc b/filebeat/module/haproxy/_meta/docs.asciidoc
index 4aab1035b4cc..7beb7b9cb20e 100644
--- a/filebeat/module/haproxy/_meta/docs.asciidoc
+++ b/filebeat/module/haproxy/_meta/docs.asciidoc
@@ -7,6 +7,8 @@ The +{modulename}+ module collects and parses logs from a (`haproxy`) process.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -14,17 +16,6 @@ The +{modulename}+ module was tested with logs from `haproxy` running on AWS Lin
 
 This module is not available for Windows.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard showing geolocation, distribution of requests between backends and frontends,
-and status codes over time. For example:
-
-[role="screenshot"]
-image::./images/kibana-haproxy-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The module is by default configured to run via syslog on port 9001. However
@@ -51,6 +42,15 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard showing geolocation, distribution of requests between backends and frontends,
+and status codes over time. For example:
+
+[role="screenshot"]
+image::./images/kibana-haproxy-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/icinga/_meta/docs.asciidoc b/filebeat/module/icinga/_meta/docs.asciidoc
index 3796d0b57e47..82964dda31fa 100644
--- a/filebeat/module/icinga/_meta/docs.asciidoc
+++ b/filebeat/module/icinga/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ https://www.icinga.com/products/icinga-2/[Icinga].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -16,16 +18,6 @@ systems.
 
 This module is not available for macOS.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-icinga-main.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -76,6 +68,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-icinga-main.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/iis/_meta/docs.asciidoc b/filebeat/module/iis/_meta/docs.asciidoc
index c3a63f1342ea..a21445ed2ecb 100644
--- a/filebeat/module/iis/_meta/docs.asciidoc
+++ b/filebeat/module/iis/_meta/docs.asciidoc
@@ -8,21 +8,13 @@ Internet Information Services (IIS) HTTP server.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The IIS module was tested with logs from version 7.5 and version 10.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-iis.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -62,6 +54,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-iis.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/kafka/_meta/docs.asciidoc b/filebeat/module/kafka/_meta/docs.asciidoc
index 787bcd8dd5b2..4e199f98b4be 100644
--- a/filebeat/module/kafka/_meta/docs.asciidoc
+++ b/filebeat/module/kafka/_meta/docs.asciidoc
@@ -8,21 +8,13 @@ https://kafka.apache.org/[Kafka].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from versions 0.9, 1.1.0 and 2.0.0.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard to see Kafka logs and stack traces.
-
-[role="screenshot"]
-image::./images/filebeat-kafka-logs-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -74,6 +66,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard to see Kafka logs and stack traces.
+
+[role="screenshot"]
+image::./images/filebeat-kafka-logs-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/kibana/_meta/docs.asciidoc b/filebeat/module/kibana/_meta/docs.asciidoc
index d6b551ad0cdf..1724d3b2c003 100644
--- a/filebeat/module/kibana/_meta/docs.asciidoc
+++ b/filebeat/module/kibana/_meta/docs.asciidoc
@@ -9,14 +9,13 @@ This is the Kibana module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The Kibana modules is compatible with Kibana 6.3 and newer.
 
-include::../include/running-modules.asciidoc[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
 //set the fileset name used in the included file
diff --git a/filebeat/module/logstash/_meta/docs.asciidoc b/filebeat/module/logstash/_meta/docs.asciidoc
index c59685c00b42..2fc591618126 100644
--- a/filebeat/module/logstash/_meta/docs.asciidoc
+++ b/filebeat/module/logstash/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ and the JSON format (--log.format json). The default is the plain text format.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 The +{modulename}+ module has two filesets:
 
 * The `log` fileset collects and parses the logs that Logstash writes to disk.
@@ -24,19 +26,6 @@ The Logstash `log` fileset was tested with logs from Logstash 5.6 and 6.0.
 
 The Logstash `slowlog` fileset was tested with logs from Logstash 5.6 and 6.0
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-===  Example dashboards
-
-This module comes with two sample dashboards.
-
-[role="screenshot"]
-image::./images/kibana-logstash-log.png[]
-
-[role="screenshot"]
-image::./images/kibana-logstash-slowlog.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -91,6 +80,17 @@ default is `plain`.
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+===  Example dashboards
+
+This module comes with two sample dashboards.
+
+[role="screenshot"]
+image::./images/kibana-logstash-log.png[]
+
+[role="screenshot"]
+image::./images/kibana-logstash-slowlog.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/mongodb/_meta/docs.asciidoc b/filebeat/module/mongodb/_meta/docs.asciidoc
index fb991a1859b9..6945b46d5df4 100755
--- a/filebeat/module/mongodb/_meta/docs.asciidoc
+++ b/filebeat/module/mongodb/_meta/docs.asciidoc
@@ -8,21 +8,13 @@ https://www.mongodb.com/[MongoDB].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from versions v3.2.11 on Debian.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with one sample dashboard including error and regular logs.
-
-[role="screenshot"]
-image::./images/filebeat-mongodb-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -56,6 +48,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with one sample dashboard including error and regular logs.
+
+[role="screenshot"]
+image::./images/filebeat-mongodb-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/mysql/_meta/docs.asciidoc b/filebeat/module/mysql/_meta/docs.asciidoc
index 1ad7b8bd5601..a58576373e4d 100644
--- a/filebeat/module/mysql/_meta/docs.asciidoc
+++ b/filebeat/module/mysql/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ created by https://www.mysql.com/[MySQL].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -17,16 +19,6 @@ MariaDB 10.1, 10.2 and 10.3, and Percona 5.7 and 8.0.
 On Windows, the module was tested with MySQL installed from the Chocolatey
 repository.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-mysql.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -68,6 +60,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-mysql.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/nats/_meta/docs.asciidoc b/filebeat/module/nats/_meta/docs.asciidoc
index cc7cf0e2c28a..070a909bb35f 100644
--- a/filebeat/module/nats/_meta/docs.asciidoc
+++ b/filebeat/module/nats/_meta/docs.asciidoc
@@ -7,22 +7,13 @@ This is the nats module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from version v1.4.0.
 
-
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Dashboard
-
-The Nats module comes with a predefined dashboard. For example:
-
-image::./images/filebeat_nats_dashboard.png[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
 
@@ -36,6 +27,13 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Dashboard
+
+The Nats module comes with a predefined dashboard. For example:
+
+image::./images/filebeat_nats_dashboard.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/nginx/_meta/docs.asciidoc b/filebeat/module/nginx/_meta/docs.asciidoc
index e9d03ceae70c..4c2b38e0681f 100644
--- a/filebeat/module/nginx/_meta/docs.asciidoc
+++ b/filebeat/module/nginx/_meta/docs.asciidoc
@@ -9,6 +9,8 @@ http://nginx.org/[Nginx] HTTP server.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -17,16 +19,6 @@ The Nginx module was tested with logs from version 1.10.
 On Windows, the module was tested with Nginx installed from the Chocolatey
 repository.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-nginx.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -71,6 +63,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-nginx.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/osquery/_meta/docs.asciidoc b/filebeat/module/osquery/_meta/docs.asciidoc
index b8601be91749..17de37af09ad 100644
--- a/filebeat/module/osquery/_meta/docs.asciidoc
+++ b/filebeat/module/osquery/_meta/docs.asciidoc
@@ -11,6 +11,8 @@ driver (the default). Make sure UTC timestamps are enabled.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 
 [float]
 === Compatibility
@@ -21,16 +23,6 @@ works with any version of osquery.
 
 This module is available on Linux, macOS, and Windows.
 
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard for visualizing the data collected by
-the "compliance" pack. To collect this data, enable the `id-compliance` pack in
-the osquery configuration file.
-
-[role="screenshot"]
-image::./images/kibana-osquery-compatibility.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -69,6 +61,16 @@ setting also disables the renaming of some fields (e.g. `hostIdentifier` to
 `host_identifier`).  Note that if you set this to false, the sample dashboards
 coming with this module won't work correctly. The default is true.
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard for visualizing the data collected by
+the "compliance" pack. To collect this data, enable the `id-compliance` pack in
+the osquery configuration file.
+
+[role="screenshot"]
+image::./images/kibana-osquery-compatibility.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/postgresql/_meta/docs.asciidoc b/filebeat/module/postgresql/_meta/docs.asciidoc
index 7360720da065..3aa5e02c227e 100644
--- a/filebeat/module/postgresql/_meta/docs.asciidoc
+++ b/filebeat/module/postgresql/_meta/docs.asciidoc
@@ -8,29 +8,14 @@ https://www.postgresql.org/[PostgreSQL].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The +{modulename}+ module was tested with logs from versions 9.5 on Ubuntu and 9.6
 on Debian.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboards
-
-This module comes with two sample dashboards.
-
-The first dashboard is for regular logs.
-
-[role="screenshot"]
-image::./images/filebeat-postgresql-overview.png[]
-
-The second one shows the slowlogs of PostgreSQL.
-
-[role="screenshot"]
-image::./images/filebeat-postgresql-slowlog-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -64,6 +49,20 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboards
+
+This module comes with two sample dashboards.
+
+The first dashboard is for regular logs.
+
+[role="screenshot"]
+image::./images/filebeat-postgresql-overview.png[]
+
+The second one shows the slowlogs of PostgreSQL.
+
+[role="screenshot"]
+image::./images/filebeat-postgresql-slowlog-overview.png[]
 
 :has-dashboards!:
 
diff --git a/filebeat/module/redis/_meta/docs.asciidoc b/filebeat/module/redis/_meta/docs.asciidoc
index 08641f6069ee..8e75f061b0d0 100644
--- a/filebeat/module/redis/_meta/docs.asciidoc
+++ b/filebeat/module/redis/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ https://redis.io/[Redis].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 The +{modulename}+ module has two filesets:
 
 * The `log` fileset collects and parses the logs that Redis writes to disk.  
@@ -31,16 +33,6 @@ On Windows, the default paths assume that Redis was installed from the Chocolate
 The Redis `slowlog` fileset was tested with Redis 3.0.2 and 2.4.6. We expect compatibility with any
 Redis version newer than 2.2.12, when the SLOWLOG command was added.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-redis.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -93,6 +85,14 @@ left empty, `localhost:6379` is assumed.
 The password to use to connect to Redis, in case Redis authentication is enabled
 (the `requirepass` option in the Redis configuration).
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/kibana-redis.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/santa/_meta/docs.asciidoc b/filebeat/module/santa/_meta/docs.asciidoc
index 258355d40c2a..01d1408c9182 100644
--- a/filebeat/module/santa/_meta/docs.asciidoc
+++ b/filebeat/module/santa/_meta/docs.asciidoc
@@ -10,6 +10,8 @@ binaries.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -17,17 +19,6 @@ The +{modulename}+ module was tested with logs from Santa 0.9.14.
 
 This module is available for MacOS only.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard showing and overview of the processes
-that are executing.
-
-[role="screenshot"]
-image::./images/kibana-santa-log-overview.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The module is by default configured to read logs from `/var/log/santa.log`.
@@ -51,6 +42,15 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard showing and overview of the processes
+that are executing.
+
+[role="screenshot"]
+image::./images/kibana-santa-log-overview.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/system/_meta/docs.asciidoc b/filebeat/module/system/_meta/docs.asciidoc
index 3fcfa5773fd2..7907810f4fe4 100644
--- a/filebeat/module/system/_meta/docs.asciidoc
+++ b/filebeat/module/system/_meta/docs.asciidoc
@@ -8,6 +8,8 @@ service of common Unix/Linux based distributions.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -16,16 +18,6 @@ macOS Sierra.
 
 This module is not available for Windows.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboards
-
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-system.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
@@ -71,6 +63,14 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboards
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-system.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/module/traefik/_meta/docs.asciidoc b/filebeat/module/traefik/_meta/docs.asciidoc
index d0c5283d37bc..53d8e907fc10 100644
--- a/filebeat/module/traefik/_meta/docs.asciidoc
+++ b/filebeat/module/traefik/_meta/docs.asciidoc
@@ -8,18 +8,10 @@ https://traefik.io/[Træfik].
 
 include::../include/what-happens.asciidoc[]
 
-[float]
-=== Compatibility
-
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboards
+include::../include/gs-link.asciidoc[]
 
-This module comes with sample dashboards. For example:
-
-[role="screenshot"]
-image::./images/kibana-traefik.png[]
+//[float]
+//=== Compatibility
 
 include::../include/configuring-intro.asciidoc[]
 
@@ -53,6 +45,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboards
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-traefik.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/scripts/module/_meta/docs.asciidoc b/filebeat/scripts/module/_meta/docs.asciidoc
index 12f49c049c3f..54762e8c7dd2 100644
--- a/filebeat/scripts/module/_meta/docs.asciidoc
+++ b/filebeat/scripts/module/_meta/docs.asciidoc
@@ -7,22 +7,13 @@ This is the {module} module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 TODO: document with what versions of the software is this tested
 
-
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-TODO: include an image of a sample dashboard. If you do not include a dashboard,
-remove this section and set `:has-dashboards: false` at the top of this file.
-
 include::../include/configuring-intro.asciidoc[]
 
 TODO: provide an example configuration
@@ -40,6 +31,14 @@ the relevant file. For example:
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+TODO: include an image of a sample dashboard. If you do not include a dashboard,
+remove this section and set `:has-dashboards: false` at the top of this file.
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/filebeat/tests/system/input/template-test-module/_meta/docs.asciidoc b/filebeat/tests/system/input/template-test-module/_meta/docs.asciidoc
index aeb7d4c50ebf..0a8cd4148e14 100644
--- a/filebeat/tests/system/input/template-test-module/_meta/docs.asciidoc
+++ b/filebeat/tests/system/input/template-test-module/_meta/docs.asciidoc
@@ -7,22 +7,13 @@ This is the template-test-module module.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 TODO: document with what versions of the software is this tested
 
-
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-TODO: include an image of a sample dashboard. If you do not include a dashboard,
-remove this section and set `:has-dashboards: false` at the top of this file.
-
 include::../include/configuring-intro.asciidoc[]
 
 TODO: provide an example configuration
@@ -40,6 +31,14 @@ the relevant file. For example:
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+TODO: include an image of a sample dashboard. If you do not include a dashboard,
+remove this section and set `:has-dashboards: false` at the top of this file.
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/x-pack/filebeat/module/activemq/_meta/docs.asciidoc b/x-pack/filebeat/module/activemq/_meta/docs.asciidoc
index 5b47f36a7814..cdded2dc7fbf 100644
--- a/x-pack/filebeat/module/activemq/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/activemq/_meta/docs.asciidoc
@@ -11,13 +11,13 @@ This module parses Apache ActiveMQ logs. It supports application and audit logs.
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 The module has been tested with ActiveMQ 5.13.0 and 5.15.9. Other versions are expected to work.
 
-include::../include/running-modules.asciidoc[]
-
 include::../include/configuring-intro.asciidoc[]
 
 :fileset_ex: log
diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc
index 552b90c20d54..b6afb2ce0eb4 100644
--- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc
@@ -18,6 +18,8 @@ from network interfaces in AWS VPC. ELB access logs captures detailed informatio
 about requests sent to the load balancer. CloudTrail logs contain events
 that represent actions taken by a user, role or AWS service.
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Module configuration
 
diff --git a/x-pack/filebeat/module/azure/_meta/docs.asciidoc b/x-pack/filebeat/module/azure/_meta/docs.asciidoc
index 966c2ed88272..5bf7bb576d00 100644
--- a/x-pack/filebeat/module/azure/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/azure/_meta/docs.asciidoc
@@ -3,20 +3,18 @@
 :modulename: azure
 :has-dashboards: false
 
-== azure module
+== Azure module
 
 beta[]
 
-This is the azure module.
-
-The azure module will concentrate on retrieving different types of log data from Azure.
+The azure module retrieves different types of log data from Azure.
 There are several requirements before using the module since the logs will actually be read from azure event hubs.
 
    - the logs have to be exported first to the event hubs https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-create-kafka-enabled
    - to export activity logs to event hubs users can follow the steps here https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-export
    - to export audit and sign-in logs to event hubs users can follow the steps here https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub
 
-The module will contain the following filesets:
+The module contains the following filesets:
 
 `activitylogs` ::
 Will retrieve azure activity logs. Control-plane events on Azure Resource Manager resources. Activity logs provide insight into the operations that were performed on resources in your subscription.
@@ -27,14 +25,6 @@ Will retrieve azure Active Directory sign-in logs. The sign-ins report provides
 `auditlogs` ::
 Will retrieve azure Active Directory audit logs. The audit logs provide traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
 
-[float]
-=== Dashboards
-
-The azure module comes with several predefined dashboards for general cloud overview, user activity and alerts. For example:
-
-image::./images/filebeat-azure-overview.png[]
-
-
 [float]
 === Module configuration
 
@@ -95,14 +85,22 @@ The name of the storage account the state/offsets will be stored and updated.
 _string_
 The storage account key, this key will be used to authorize access to data in your storage account.
 
-
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 TODO: document with what versions of the software is this tested
 
+[float]
+=== Dashboards
+
+The azure module comes with several predefined dashboards for general cloud overview, user activity and alerts. For example:
+
+image::./images/filebeat-azure-overview.png[]
+
 
 
 
diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc
index 89b63cc88bd4..3dff2de06c4f 100644
--- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc
@@ -13,7 +13,7 @@ encoded data. The decoded data is written into a `cef` object field. Lastly any
 Elastic Common Schema (ECS) fields that can be populated with the CEF data are
 populated.
 
-include::../include/running-modules.asciidoc[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
index f4b9c5e61f01..b473740c2330 100644
--- a/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/cisco/_meta/docs.asciidoc
@@ -31,15 +31,7 @@ Check the <<dynamic-script-compilations>> section for more information.
 
 include::../include/what-happens.asciidoc[]
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard for ASA:
-
-[role="screenshot"]
-image::./images/kibana-cisco-asa.png[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
@@ -302,4 +294,12 @@ parameters on your Elasticsearch cluster:
 - {ref}/modules-scripting-using.html#modules-scripting-using-caching[script.cache_max_size]:
   Increase to at least `200` if using both filesets or other script-heavy modules.
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard for ASA:
+
+[role="screenshot"]
+image::./images/kibana-cisco-asa.png[]
+
 :modulename!:
diff --git a/x-pack/filebeat/module/coredns/_meta/docs.asciidoc b/x-pack/filebeat/module/coredns/_meta/docs.asciidoc
index 872dc4de9776..056f45e15232 100644
--- a/x-pack/filebeat/module/coredns/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/coredns/_meta/docs.asciidoc
@@ -8,19 +8,19 @@
 This is a filebeat module for CoreDNS. It supports both standalone CoreDNS deployment and
 CoreDNS deployment in Kubernetes.
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 Although this module has been developed against Kubernetes v1.13.x, it is expected to work
 with other versions of Kubernetes.
 
-[float]
-=== Example dashboard
+include::../include/configuring-intro.asciidoc[]
 
-This module comes with a sample dashboard.
+:fileset_ex: log
 
-[role="screenshot"]
-image::./images/kibana-coredns.jpg[]
+include::../include/config-option-intro.asciidoc[]
 
 [float]
 ==== `log` fileset settings
@@ -41,3 +41,11 @@ include::../include/var-paths.asciidoc[]
 *`var.tags`*::
 
 An array of tags describing the monitored CoreDNS setup.
+
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard.
+
+[role="screenshot"]
+image::./images/kibana-coredns.jpg[]
diff --git a/x-pack/filebeat/module/envoyproxy/_meta/docs.asciidoc b/x-pack/filebeat/module/envoyproxy/_meta/docs.asciidoc
index 126b3f83c5e7..ae036ce72496 100644
--- a/x-pack/filebeat/module/envoyproxy/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/envoyproxy/_meta/docs.asciidoc
@@ -5,7 +5,9 @@
 
 == Envoyproxy Module
 
-This is a filebeat module for Envoy proxy access log (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). It supports both standalone deployment and Envoy proxy deployment in Kubernetes. 
+This is a Filebeat module for Envoy proxy access log (https://www.envoyproxy.io/docs/envoy/v1.10.0/configuration/access_log). It supports both standalone deployment and Envoy proxy deployment in Kubernetes. 
+
+include::../include/gs-link.asciidoc[]
 
 [float]
 === Compatibility
diff --git a/x-pack/filebeat/module/googlecloud/_meta/docs.asciidoc b/x-pack/filebeat/module/googlecloud/_meta/docs.asciidoc
index b0d75e06b10e..7b61903352b5 100644
--- a/x-pack/filebeat/module/googlecloud/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/googlecloud/_meta/docs.asciidoc
@@ -13,7 +13,7 @@ Google Pub/Sub topic sink.
 
 include::../include/what-happens.asciidoc[]
 
-include::../include/running-modules.asciidoc[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/x-pack/filebeat/module/ibmmq/_meta/docs.asciidoc b/x-pack/filebeat/module/ibmmq/_meta/docs.asciidoc
index 1a34a4be0e2e..98c67383b632 100644
--- a/x-pack/filebeat/module/ibmmq/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/ibmmq/_meta/docs.asciidoc
@@ -8,25 +8,15 @@ The `ibmmq` module collects and parses the queue manager error logs from IBM MQ
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 This module has been tested with IBM MQ v9.1.0.0, but it should be compatible with older versions.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/filebeat-ibmmq.png[]
-
-
 include::../include/configuring-intro.asciidoc[]
 
-
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
 file to override the default paths for IBM MQ errorlog:
 
@@ -37,6 +27,7 @@ file to override the default paths for IBM MQ errorlog:
     enabled: true
     var.paths: ["C:/ibmmq/logs/*.log"]
 -----
+
 :fileset_ex: errorlog
 
 include::../include/config-option-intro.asciidoc[]
@@ -46,6 +37,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with a sample dashboard. For example:
+
+[role="screenshot"]
+image::./images/filebeat-ibmmq.png[]
+
 :fileset_ex!:
 
 :modulename!:
diff --git a/x-pack/filebeat/module/iptables/_meta/docs.asciidoc b/x-pack/filebeat/module/iptables/_meta/docs.asciidoc
index 12875fb946e6..f95425b71488 100644
--- a/x-pack/filebeat/module/iptables/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/iptables/_meta/docs.asciidoc
@@ -20,21 +20,7 @@ When you run the module, it performs a few tasks under the hood:
 
 * Deploys dashboards for visualizing the log data.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with sample dashboards showing geolocation and network
-protocols used. One for all iptables logs:
-
-[role="screenshot"]
-image::./images/kibana-iptables.png[]
-
-and one specific for Ubiquiti Firewall logs:
-
-[role="screenshot"]
-image::./images/kibana-iptables-ubiquiti.png[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
@@ -72,6 +58,20 @@ NOTE: Ports below 1024 require Filebeat to run as root.
 
 include::../include/timezone-support.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards showing geolocation and network
+protocols used. One for all iptables logs:
+
+[role="screenshot"]
+image::./images/kibana-iptables.png[]
+
+and one specific for Ubiquiti Firewall logs:
+
+[role="screenshot"]
+image::./images/kibana-iptables-ubiquiti.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/x-pack/filebeat/module/misp/_meta/docs.asciidoc b/x-pack/filebeat/module/misp/_meta/docs.asciidoc
index 3f0eb441e6f8..c8082cb9ee51 100644
--- a/x-pack/filebeat/module/misp/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/misp/_meta/docs.asciidoc
@@ -14,6 +14,8 @@ The configuration in the config.yml file uses the following format:
  * var.api_key: specifies the API key to access MISP.
  * var.json_objects_array: specifies the array object in MISP response, e.g., "response.Attribute".
  * var.url: URL of the MISP REST API, e.g., "http://x.x.x.x/attributes/restSearch"
+ 
+include::../include/gs-link.asciidoc[]
 
 [float]
 === Example dashboard
diff --git a/x-pack/filebeat/module/mssql/_meta/docs.asciidoc b/x-pack/filebeat/module/mssql/_meta/docs.asciidoc
index 969105e1c49e..ff4dc54b3d51 100644
--- a/x-pack/filebeat/module/mssql/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/mssql/_meta/docs.asciidoc
@@ -7,10 +7,10 @@ The +{modulename}+ module parses error logs created by MSSQL.
 
 include::../include/what-happens.asciidoc[]
 
-[float]
-=== Compatibility
+include::../include/gs-link.asciidoc[]
 
-include::../include/running-modules.asciidoc[]
+//[float]
+//=== Compatibility
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/x-pack/filebeat/module/netflow/_meta/docs.asciidoc b/x-pack/filebeat/module/netflow/_meta/docs.asciidoc
index c92f6de7c160..f882a253fbd2 100644
--- a/x-pack/filebeat/module/netflow/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/netflow/_meta/docs.asciidoc
@@ -13,7 +13,7 @@ This module wraps the <<filebeat-input-netflow,netflow input>> to enrich the
 flow records with geolocation information about the IP endpoints by using
 Elasticsearch Ingest Node.
 
-include::../include/running-modules.asciidoc[]
+include::../include/gs-link.asciidoc[]
 
 include::../include/configuring-intro.asciidoc[]
 
diff --git a/x-pack/filebeat/module/panw/_meta/docs.asciidoc b/x-pack/filebeat/module/panw/_meta/docs.asciidoc
index 7f578f500721..ab918c42e84c 100644
--- a/x-pack/filebeat/module/panw/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/panw/_meta/docs.asciidoc
@@ -11,6 +11,8 @@ This is a module for Palo Alto Networks PAN-OS firewall monitoring logs received
 over Syslog or read from a file. It currently supports messages of Traffic and
 Threat types.
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -20,7 +22,50 @@ versions 7.1 to 9.0 but limited compatibility is expected for earlier versions.
 The {plugins}/ingest-geoip.html[ingest-geoip]
 Elasticsearch plugin is required to run this module.
 
-include::../include/running-modules.asciidoc[]
+include::../include/configuring-intro.asciidoc[]
+
+The module is by default configured to run via syslog on port 9001. However
+it can also be configured to read logs from a file. See the following example.
+
+["source","yaml",subs="attributes"]
+-----
+- module: panw
+  panos:
+    enabled: true
+    var.paths: ["/var/log/pan-os.log"]
+    var.input: "file"
+-----
+
+:fileset_ex: panos
+
+include::../include/config-option-intro.asciidoc[]
+
+[float]
+==== `panos` fileset settings
+
+Example config:
+
+[source,yaml]
+----
+  panos:
+    var.syslog_host: 0.0.0.0
+    var.syslog_port: 514
+----
+
+include::../include/var-paths.asciidoc[]
+
+*`var.syslog_host`*::
+
+The interface to listen to UDP based syslog traffic. Defaults to `localhost`.
+Set to `0.0.0.0` to bind to all available interfaces.
+
+*`var.syslog_port`*::
+
+The UDP port to listen for syslog traffic. Defaults to `9001`
+
+NOTE: Ports below 1024 require {beatname_uc} to run as root.
+
+include::../include/timezone-support.asciidoc[]
 
 [float]
 === ECS field mappings
@@ -129,51 +174,6 @@ image::./images/filebeat-panw-traffic.png[]
 [role="screenshot"]
 image::./images/filebeat-panw-threat.png[]
 
-include::../include/configuring-intro.asciidoc[]
-
-The module is by default configured to run via syslog on port 9001. However
-it can also be configured to read logs from a file. See the following example.
-
-["source","yaml",subs="attributes"]
------
-- module: panw
-  panos:
-    enabled: true
-    var.paths: ["/var/log/pan-os.log"]
-    var.input: "file"
------
-
-:fileset_ex: panos
-
-include::../include/config-option-intro.asciidoc[]
-
-[float]
-==== `panos` fileset settings
-
-Example config:
-
-[source,yaml]
-----
-  panos:
-    var.syslog_host: 0.0.0.0
-    var.syslog_port: 514
-----
-
-include::../include/var-paths.asciidoc[]
-
-*`var.syslog_host`*::
-
-The interface to listen to UDP based syslog traffic. Defaults to `localhost`.
-Set to `0.0.0.0` to bind to all available interfaces.
-
-*`var.syslog_port`*::
-
-The UDP port to listen for syslog traffic. Defaults to `9001`
-
-NOTE: Ports below 1024 require {beatname_uc} to run as root.
-
-include::../include/timezone-support.asciidoc[]
-
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc b/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc
index 0c5c69a2d5b9..2222da5e045a 100644
--- a/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/rabbitmq/_meta/docs.asciidoc
@@ -7,6 +7,8 @@ This is the module for parsing https://www.rabbitmq.com/logging.html[RabbitMQ lo
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
@@ -14,8 +16,6 @@ Parses https://www.rabbitmq.com/logging.html[single file format] introduced in 3
 
 Tested with version 3.7.14.
 
-include::../include/running-modules.asciidoc[]
-
 include::../include/configuring-intro.asciidoc[]
 
 The following example shows how to set paths in the +modules.d/{modulename}.yml+
diff --git a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc
index d771939f317f..e4f3d0bee540 100644
--- a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc
@@ -11,22 +11,14 @@ Suricata Eve JSON format].
 
 include::../include/what-happens.asciidoc[]
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility
 
 This module has been developed against Suricata v4.0.4, but is expected to work
 with other versions of Suricata.
 
-include::../include/running-modules.asciidoc[]
-
-[float]
-=== Example dashboard
-
-This module comes with a sample dashboard. For example:
-
-[role="screenshot"]
-image::./images/kibana-suricata.png[]
-
 include::../include/configuring-intro.asciidoc[]
 
 This is an example of how to overwrite the default log file path.
@@ -48,6 +40,14 @@ include::../include/config-option-intro.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+[float]
+=== Example dashboard
+
+This module comes with sample dashboards. For example:
+
+[role="screenshot"]
+image::./images/kibana-suricata.png[]
+
 :has-dashboards!:
 
 :fileset_ex!:
diff --git a/x-pack/filebeat/module/zeek/_meta/docs.asciidoc b/x-pack/filebeat/module/zeek/_meta/docs.asciidoc
index 3b77ddb0d744..e9b4bc6627d3 100644
--- a/x-pack/filebeat/module/zeek/_meta/docs.asciidoc
+++ b/x-pack/filebeat/module/zeek/_meta/docs.asciidoc
@@ -8,6 +8,8 @@
 This is a module for Zeek, which used to be called Bro. It parses logs that are in the
 https://www.zeek.org/manual/release/logs/index.html[Zeek JSON format].
 
+include::../include/gs-link.asciidoc[]
+
 [float]
 === Compatibility