diff --git a/auditbeat/docs/getting-started.asciidoc b/auditbeat/docs/getting-started.asciidoc index 1cedeaf864c1..bd10a539d338 100644 --- a/auditbeat/docs/getting-started.asciidoc +++ b/auditbeat/docs/getting-started.asciidoc @@ -75,6 +75,25 @@ tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz endif::[] +[[linux]] +*linux:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +------------------------------------------------ +curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz +tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz +------------------------------------------------ + +endif::[] + [[docker]] *docker:* @@ -206,12 +225,12 @@ start {beatname_uc} in the foreground. sudo service {beatname_lc} start ---------------------------------------------------------------------- -*mac:* +*mac and linux:* ["source","sh",subs="attributes"] ---------------------------------------------------------------------- sudo chown root {beatname_lc}.yml <1> -sudo ./{beatname_lc} -e -c {beatname_lc}.yml +sudo ./{beatname_lc} -e ---------------------------------------------------------------------- <1> To monitor system files, you'll be running {beatname_uc} as root, so you need to change ownership of the configuration file, or run {beatname_uc} with diff --git a/auditbeat/docs/index.asciidoc b/auditbeat/docs/index.asciidoc index 28e01662b530..2bf016533ab9 100644 --- a/auditbeat/docs/index.asciidoc +++ b/auditbeat/docs/index.asciidoc @@ -17,6 +17,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] :mac_os: :docker_platform: :win_os: +:linux_os: include::../../libbeat/docs/shared-beats-attributes.asciidoc[] diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index c3b02b99bef8..9633fd1fd66b 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -75,6 +75,25 @@ tar xzvf filebeat-{version}-darwin-x86_64.tar.gz endif::[] +[[linux]] +*linux:* + +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes,callouts"] +------------------------------------------------ +curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-{version}-linux-x86_64.tar.gz +tar xzvf filebeat-{version}-linux-x86_64.tar.gz +------------------------------------------------ + +endif::[] + [[docker]] *docker:* @@ -223,12 +242,12 @@ sudo service {beatname_lc} start docker run {dockerimage} ---------------------------------------------------------------------- -*mac:* +*mac and linux:* [source,shell] ---------------------------------------------------------------------- sudo chown root filebeat.yml <1> -sudo ./filebeat -e -c filebeat.yml +sudo ./filebeat -e ---------------------------------------------------------------------- <1> You'll be running Filebeat as root, so you need to change ownership of the configuration file, or run Filebeat with `--strict.perms=false` diff --git a/filebeat/docs/include/enable-modules-command.asciidoc b/filebeat/docs/include/enable-modules-command.asciidoc index 98fac1dd4862..243aef3d9216 100644 --- a/filebeat/docs/include/enable-modules-command.asciidoc +++ b/filebeat/docs/include/enable-modules-command.asciidoc @@ -13,6 +13,13 @@ ./{beatname_lc} modules enable {modulename} ---- +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} modules enable {modulename} +---- + *win:* ["source","sh",subs="attributes"] diff --git a/filebeat/docs/include/list-modules-command.asciidoc b/filebeat/docs/include/list-modules-command.asciidoc index c3bbcff38a0d..ca4cf789e345 100644 --- a/filebeat/docs/include/list-modules-command.asciidoc +++ b/filebeat/docs/include/list-modules-command.asciidoc @@ -13,6 +13,13 @@ ./{beatname_lc} modules list ---- +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} modules list +---- + *win:* ["source","sh",subs="attributes"] diff --git a/filebeat/docs/include/run-command.asciidoc b/filebeat/docs/include/run-command.asciidoc index 80f2bfb5e4f9..158a66ef1501 100644 --- a/filebeat/docs/include/run-command.asciidoc +++ b/filebeat/docs/include/run-command.asciidoc @@ -13,6 +13,13 @@ service {beatname_lc} start ./{beatname_lc} -e ---- +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} -e +---- + *win:* ["source","sh",subs="attributes"] diff --git a/filebeat/docs/include/set-paths.asciidoc b/filebeat/docs/include/set-paths.asciidoc index 8f4b1eb50891..07f9ffa0b490 100644 --- a/filebeat/docs/include/set-paths.asciidoc +++ b/filebeat/docs/include/set-paths.asciidoc @@ -28,6 +28,13 @@ must include the module and fileset name. For example: ./{beatname_lc} -e -M "nginx.access.var.paths=[/usr/local/var/log/nginx/access.log*]" ---- +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} -e -M "nginx.access.var.paths=[/usr/local/var/log/nginx/access.log*]" +---- + *win:* ["source","sh",subs="attributes"] diff --git a/filebeat/docs/include/setup-command.asciidoc b/filebeat/docs/include/setup-command.asciidoc index 66f4ce361a5c..14642e1aa826 100644 --- a/filebeat/docs/include/setup-command.asciidoc +++ b/filebeat/docs/include/setup-command.asciidoc @@ -13,6 +13,13 @@ ./{beatname_lc} setup -e ---- +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup -e +---- + *win:* ["source","sh",subs="attributes"] diff --git a/filebeat/docs/index.asciidoc b/filebeat/docs/index.asciidoc index ba4bcce89a8f..d7bc6f260eb1 100644 --- a/filebeat/docs/index.asciidoc +++ b/filebeat/docs/index.asciidoc @@ -15,6 +15,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] :deb_os: :rpm_os: :mac_os: +:linux_os: :docker_platform: :win_os: diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc index 28ded322eaed..6008ecec6cfd 100644 --- a/heartbeat/docs/getting-started.asciidoc +++ b/heartbeat/docs/getting-started.asciidoc @@ -81,6 +81,23 @@ tar xzvf heartbeat-{version}-darwin-x86_64.tar.gz endif::[] +[[linux]] +*linux:* + +ifeval::["{release-state}"=="unreleased"] + +Version {version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +------------------------------------------------ +curl -L -O {downloads}/heartbeat/heartbeat-{version}-linux-x86_64.tar.gz +tar xzvf heartbeat-{version}-linux-x86_64.tar.gz +------------------------------------------------ +endif::[] [[docker]] *docker:* @@ -230,12 +247,12 @@ start Heartbeat in the foreground. sudo service {beatname_lc}-elastic start ---------------------------------------------------------------------- -*mac:* +*mac and linux:* ["source","sh",subs="attributes"] ---------------------------------------------------------------------- sudo chown root heartbeat.yml <1> -sudo ./heartbeat -e -c heartbeat.yml +sudo ./heartbeat -e ---------------------------------------------------------------------- <1> You'll be running Heartbeat as root, so you need to change ownership of the configuration file, or run Heartbeat with `--strict.perms=false` specified. See diff --git a/heartbeat/docs/index.asciidoc b/heartbeat/docs/index.asciidoc index 0176b0072904..53f2cc9a48ce 100644 --- a/heartbeat/docs/index.asciidoc +++ b/heartbeat/docs/index.asciidoc @@ -15,6 +15,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] :deb_os: :rpm_os: :mac_os: +:linux_os: :docker_platform: :win_os: diff --git a/journalbeat/docs/index.asciidoc b/journalbeat/docs/index.asciidoc index ac818e5b4120..3c99a47bdd10 100644 --- a/journalbeat/docs/index.asciidoc +++ b/journalbeat/docs/index.asciidoc @@ -14,6 +14,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] :libbeat-docs: Beats Platform Reference :deb_os: :rpm_os: +:linux_os: :no_dashboards: include::../../libbeat/docs/shared-beats-attributes.asciidoc[] diff --git a/libbeat/docs/command-reference.asciidoc b/libbeat/docs/command-reference.asciidoc index 97834b75ba40..e30cabe3b5d6 100644 --- a/libbeat/docs/command-reference.asciidoc +++ b/libbeat/docs/command-reference.asciidoc @@ -19,25 +19,25 @@ :help-command-short-desc: Shows help for any command :keystore-command-short-desc: Manages the <> :modules-command-short-desc: Manages configured modules -:package-command-short-desc: Packages the configuration and executable in a zip file +:package-command-short-desc: Packages the configuration and executable into a zip file :remove-command-short-desc: Removes the specified function from your serverless environment :run-command-short-desc: Runs {beatname_uc}. This command is used by default if you start {beatname_uc} without specifying a command ifndef::deprecate_dashboard_loading[] ifdef::has_ml_jobs[] -:setup-command-short-desc: Sets up the initial environment, including the index template, Kibana dashboards (when available), and machine learning jobs (when available) +:setup-command-short-desc: Sets up the initial environment, including the index template, {kib} dashboards (when available), and machine learning jobs (when available) endif::[] ifndef::has_ml_jobs[] -:setup-command-short-desc: Sets up the initial environment, including the index template and Kibana dashboards (when available) +:setup-command-short-desc: Sets up the initial environment, including the index template and {kib} dashboards (when available) endif::[] endif::[] ifdef::deprecate_dashboard_loading[] -:setup-command-short-desc: Sets up the initial environment, including the ES index template and Kibana dashboards (deprecated). +:setup-command-short-desc: Sets up the initial environment, including the ES index template and {kib} dashboards (deprecated). endif::[] @@ -67,7 +67,6 @@ The command-line also supports <> for controlling global behaviors. ifeval::["{beatname_lc}"!="winlogbeat"] - [TIP] ========================= Use `sudo` to run the following commands if: @@ -76,7 +75,6 @@ Use `sudo` to run the following commands if: * {beatname_uc} is configured to capture data that requires `root` access ========================= - endif::[] [options="header"] @@ -110,8 +108,33 @@ ifeval::[("{beatname_lc}"=="functionbeat")] [[deploy-command]] ==== `deploy` command -{deploy-command-short-desc}. +{deploy-command-short-desc}. Before deploying functions, make sure the user has +the credentials required by your cloud service provider. + +*SYNOPSIS* + +["source","sh",subs="attributes"] +---- +{beatname_lc} deploy FUNCTION_NAME [FLAGS] +---- + +*`FUNCTION_NAME`*:: +Specifies the name of the function to deploy. + +*FLAGS* + +*`-h, --help`*:: +Shows help for the `deploy` command. + +{global-flags} + +*EXAMPLES* +["source","sh",subs="attributes"] +----- +{beatname_lc} deploy cloudwatch +{beatname_lc} deploy sqs +----- endif::[] [[export-command]] @@ -119,7 +142,7 @@ endif::[] {export-command-short-desc}. You can use this command to quickly view your configuration, see the contents of the index -template, or export a dashboard from Kibana. +template, or export a dashboard from {kib}. *SYNOPSIS* @@ -128,55 +151,55 @@ template, or export a dashboard from Kibana. {beatname_lc} export SUBCOMMAND [FLAGS] ---- - *SUBCOMMANDS* *`config`*:: Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that's defined in the specified file. - - -*`dashboard`*:: -Exporting a dashboard allows to store a dashboard on disk in a -module and load it automatically. The following command can be used: +[[dashboard-subcommand]]*`dashboard`*:: +Exports a dashboard. You can use this option to store a dashboard on disk in a +module and load it automatically. For example, to export the dashboard to a JSON +file, run: + ["source","shell",subs="attributes"] ---- -{beatname_lc} export dashboard --id="dashboard-id" > dashboard.json +{beatname_lc} export dashboard --id="DASHBOARD_ID" > dashboard.json ---- + -The `dashboard-id` can be found in the Kibana URL. By default `export dashboard` -will write the dashboard to stdout. Above it's written into `dashboard.json` so -it can later imported again. The file contains the dashboard with all -visualizations and searches. The index pattern is removed as it is -expected to be loaded separately for {beatname_uc}. +To find the `DASHBOARD_ID`, look at the URL for the dashboard in {kib}. By +default, `export dashboard` writes the dashboard to stdout. The example shows +how to write the dashboard to a JSON file so that you can import it later. The +JSON file will contain the dashboard with all visualizations and searches. You +must load the index pattern separately for {beatname_uc}. + -The generated `dashboard.json` file can be copied into the `kibana/6/dashboard` -directory of {beatname_lc} and next time +{beatname_lc} setup dashboards+ is -run the dashboard will be imported. +To load the dashboard, copy the generated `dashboard.json` file into the +`kibana/6/dashboard` directory of {beatname_uc}, and run ++{beatname_lc} setup --dashboards+ to import the dashboard. + -In case Kibana is not running on `localhost:5061` the {beatname_uc} -configuration under `setup.kibana` must be adjusted. +If {kib} is not running on `localhost:5061`, you must also adjust the +{beatname_uc} configuration under `setup.kibana`. -[[template-subcommand]] -*`template`*:: +[[template-subcommand]]*`template`*:: Exports the index template to stdout. You can specify the `--es.version` and `--index` flags to further define what gets exported. *FLAGS* *`--es.version VERSION`*:: -When specified along with <>, exports an index +When used with <>, exports an index template that is compatible with the specified version. *`-h, --help`*:: Shows help for the `export` command. *`--index BASE_NAME`*:: -When specified along with <>, sets the base name -to use for the index template. If this flag is not specified, the default base -name is +{beatname_lc}+. +When used with <>, sets the base name to use for +the index template. If this flag is not specified, the default base name is ++{beatname_lc}+. + +*`--id DASHBOARD_ID`*:: +When used with <>, specifies the dashboard ID. {global-flags} @@ -186,6 +209,7 @@ name is +{beatname_lc}+. ----- {beatname_lc} export config {beatname_lc} export template --es.version {stack-version} --index myindexname +{beatname_lc} export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json ----- @@ -272,7 +296,7 @@ Shows help for the `keystore` command. {beatname_lc} keystore list ----- -see <> for more examples. +See <> for more examples. ifeval::[("{beatname_lc}"=="functionbeat")] [[package-command]] @@ -280,15 +304,63 @@ ifeval::[("{beatname_lc}"=="functionbeat")] {package-command-short-desc}. +*SYNOPSIS* + +["source","sh",subs="attributes"] +---- +{beatname_lc} package [FLAGS] +---- + +*FLAGS* + +*`-h, --help`*:: +Shows help for the `package` command. + +*`-o, --output`*:: +Specifies the full path to the zip file that will contain the package. + +{global-flags} + +*EXAMPLES* + +["source","sh",subs="attributes"] +----- +{beatname_lc} package /path/to/file.zip +----- + [[remove-command]] ==== `remove` command -{remove-command-short-desc}. +{remove-command-short-desc}. Before removing functions, make sure the user has +the credentials required by your cloud service provider. + +*SYNOPSIS* + +["source","sh",subs="attributes"] +---- +{beatname_lc} remove FUNCTION_NAME [FLAGS] +---- + +*`FUNCTION_NAME`*:: +Specifies the name of the function to remove. + +*FLAGS* +*`-h, --help`*:: +Shows help for the `remove` command. + +{global-flags} + +*EXAMPLES* + +["source","sh",subs="attributes"] +----- +{beatname_lc} remove cloudwatch +{beatname_lc} remove sqs +----- endif::[] ifeval::[("{beatname_lc}"=="filebeat") or ("{beatname_lc}"=="metricbeat")] - [[modules-command]] ==== `modules` command @@ -330,26 +402,20 @@ Shows help for the `export` command. *EXAMPLES* ifeval::["{beatname_lc}"=="filebeat"] - ["source","sh",subs="attributes"] ----- {beatname_lc} modules list {beatname_lc} modules enable apache2 auditd mysql ----- - endif::[] ifeval::["{beatname_lc}"=="metricbeat"] - ["source","sh",subs="attributes"] ----- {beatname_lc} modules list {beatname_lc} modules enable apache nginx system ----- - - endif::[] - endif::[] @@ -375,7 +441,6 @@ Or: *FLAGS* ifeval::["{beatname_lc}"=="packetbeat"] - *`-I, --I FILE`*:: Reads packet data from the specified file instead of reading packets from the network. This option is useful only for testing {beatname_uc}. @@ -384,19 +449,17 @@ network. This option is useful only for testing {beatname_uc}. ----- {beatname_lc} run -I ~/pcaps/network_traffic.pcap ----- - endif::[] -*`-N, --N`*:: -Disables the publishing of events to the defined output. This option is useful -only for testing {beatname_uc}. +*`-N, --N`*:: Disables publishing for testing purposes. +ifndef::only-elasticsearch[] +This option disables all outputs except the <>. +endif::only-elasticsearch[] ifeval::["{beatname_lc}"=="packetbeat"] - *`-O, --O`*:: Read packets one by one by pressing _Enter_ after each. This option is useful only for testing {beatname_uc}. - endif::[] *`--cpuprofile FILE`*:: @@ -404,18 +467,14 @@ Writes CPU profile data to the specified file. This option is useful for troubleshooting {beatname_uc}. ifeval::["{beatname_lc}"=="packetbeat"] - *`-devices`*:: Prints the list of devices that are available for sniffing and then exits. - endif::[] ifeval::["{beatname_lc}"=="packetbeat"] - *`-dump FILE`*:: Writes all captured packets to the specified file. This option is useful for troubleshooting {beatname_uc}. - endif::[] *`-h, --help`*:: @@ -426,12 +485,10 @@ Starts an http server for profiling. This option is useful for troubleshooting and profiling {beatname_uc}. ifeval::["{beatname_lc}"=="packetbeat"] - *`-l N`*:: Reads the pcap file `N` number of times. The default is 1. Use this option in combination with the `-I` option. For an infinite loop, use _0_. The `-l` option is useful only for testing {beatname_uc}. - endif::[] *`--memprofile FILE`*:: @@ -439,7 +496,6 @@ Writes memory profile data to the specified output file. This option is useful for troubleshooting {beatname_uc}. ifeval::["{beatname_lc}"=="filebeat"] - *`--modules MODULE_LIST`*:: Specifies a comma-separated list of modules to run. For example: + @@ -452,18 +508,15 @@ Rather than specifying the list of modules every time you run {beatname_uc}, you can use the <> command to enable and disable specific modules. Then when you run {beatname_uc}, it will run any modules that are enabled. - endif::[] ifeval::["{beatname_lc}"=="filebeat"] - *`--once`*:: When the `--once` flag is used, {beatname_uc} starts all configured harvesters and inputs, and runs each input until the harvesters are closed. If you set the `--once` flag, you should also set `close_eof` so the harvester is closed when the end of the file is reached. By default harvesters are closed after `close_inactive` is reached. - endif::[] *`--setup`*:: @@ -472,31 +525,27 @@ deprecated[{deprecate_dashboard_loading}] endif::[] + ifdef::has_ml_jobs[] -Loads the initial setup, including Elasticsearch template, Kibana index pattern, -Kibana dashboards (when available), and Machine learning jobs. +Loads the initial setup, including Elasticsearch template, {kib} index pattern, +{kib} dashboards (when available), and Machine learning jobs. endif::[] ifndef::has_ml_jobs[] -Loads the initial setup, including Elasticsearch template, Kibana index pattern, and Kibana dashboards (when available). +Loads the initial setup, including Elasticsearch template, {kib} index pattern, and {kib} dashboards (when available). endif::[] If you want to use the command without running {beatname_uc}, use the <> command instead. ifeval::["{beatname_lc}"=="metricbeat"] - *`--system.hostfs MOUNT_POINT`*:: Specifies the mount point of the host's filesystem for use in monitoring a host from within a container. - endif::[] ifeval::["{beatname_lc}"=="packetbeat"] - *`-t`*:: Reads packets from the pcap file as fast as possible without sleeping. Use this option in combination with the `-I` option. The `-t` option is useful only for testing Packetbeat. - endif::[] {global-flags} @@ -522,8 +571,8 @@ Or: * The index template ensures that fields are mapped correctly in Elasticsearch. -* The Kibana dashboards make it easier for you to visualize {beatname_uc} data -in Kibana. +* The {kib} dashboards make it easier for you to visualize {beatname_uc} data +in {kib}. ifdef::has_ml_jobs[] * The machine learning jobs contain the configuration information and metadata @@ -545,7 +594,7 @@ environment without actually running {beatname_uc} and ingesting data. ifndef::deprecate_dashboard_loading[] *`--dashboards`*:: -Sets up the Kibana dashboards (when available). This option loads the dashboards +Sets up the {kib} dashboards (when available). This option loads the dashboards from the {beatname_uc} package. For more options, such as loading customized dashboards, see {beatsdevguide}/import-dashboards.html[Importing Existing Beat Dashboards] in the _Beats Developer Guide_. @@ -556,28 +605,24 @@ ifdef::deprecate_dashboard_loading[] deprecated[{deprecate_dashboard_loading}] + -Sets up the Kibana dashboards only. +Sets up the {kib} dashboards only. endif::[] *`-h, --help`*:: Shows help for the `setup` command. ifdef::has_ml_jobs[] - *`--machine-learning`*:: Sets up machine learning job configurations only. - endif::[] ifeval::["{beatname_lc}"=="filebeat"] - *`--modules MODULE_LIST`*:: Specifies a comma-separated list of modules. Use this flag to avoid errors when there are no modules defined in the +{beatname_lc}.yml+ file. *`--pipelines`*:: Sets up ingest pipelines for configured filesets. - endif::[] *`--template`*:: @@ -611,14 +656,12 @@ Sets up the index template only. Tests the configuration settings. ifeval::["{beatname_lc}"=="metricbeat"] - *`modules [MODULE_NAME] [METRICSET_NAME]`*:: Tests module settings for all configured modules. When you run this command, {beatname_uc} does a test run that applies the current settings, retrieves the metrics, and shows them as output. To test the settings for a specific module, specify `MODULE_NAME`. To test the settings for a specific metricset in the module, also specify `METRICSET_NAME`. - endif::[] *`output`*:: @@ -632,18 +675,15 @@ current settings. {global-flags} ifeval::["{beatname_lc}"!="metricbeat"] - *EXAMPLE* ["source","sh",subs="attributes"] ----- {beatname_lc} test config ----- - endif::[] ifeval::["{beatname_lc}"=="metricbeat"] - *EXAMPLES* ["source","sh",subs="attributes"] @@ -651,15 +691,39 @@ ifeval::["{beatname_lc}"=="metricbeat"] {beatname_lc} test config {beatname_lc} test modules system cpu ----- - endif::[] ifeval::[("{beatname_lc}"=="functionbeat")] [[update-command]] ==== `update` command -{update-command-short-desc}. +{update-command-short-desc}. Before updating functions, make sure the user has +the credentials required by your cloud service provider. +*SYNOPSIS* + +["source","sh",subs="attributes"] +---- +{beatname_lc} update FUNCTION_NAME [FLAGS] +---- + +*`FUNCTION_NAME`*:: +Specifies the name of the function to update. + +*FLAGS* + +*`-h, --help`*:: +Shows help for the `update` command. + +{global-flags} + +*EXAMPLES* + +["source","sh",subs="attributes"] +----- +{beatname_lc} update cloudwatch +{beatname_lc} update sqs +----- endif::[] [[version-command]] @@ -686,7 +750,7 @@ endif::[] ["source","sh",subs="attributes"] ----- {beatname_lc} version ----- +----- [float] @@ -708,7 +772,6 @@ This setting is applied to the currently running {beatname_uc} process. The {beatname_uc} configuration file is not changed. ifeval::["{beatname_lc}"=="filebeat"] - *`-M, --M "VAR_NAME=VALUE"`*:: Overrides the default configuration for a {beatname_uc} module. You can specify multiple variable overrides. For example: + @@ -716,7 +779,6 @@ ifeval::["{beatname_lc}"=="filebeat"] ---------------------------------------------------------------------- {beatname_lc} -modules=nginx -M "nginx.access.var.paths=['/var/log/nginx/access.log*']" -M "nginx.access.var.pipeline=no_plugins" ---------------------------------------------------------------------- - endif::[] *`-c, --c FILE`*:: diff --git a/libbeat/docs/dashboards.asciidoc b/libbeat/docs/dashboards.asciidoc index ea210d56c955..96bf17b5527e 100644 --- a/libbeat/docs/dashboards.asciidoc +++ b/libbeat/docs/dashboards.asciidoc @@ -58,6 +58,15 @@ ifdef::mac_os[] ---------------------------------------------------------------------- endif::mac_os[] +ifdef::linux_os[] +*linux:* + +["source","sh",subs="attributes"] +---------------------------------------------------------------------- +./{beatname_lc} setup --dashboards +---------------------------------------------------------------------- +endif::linux_os[] + ifdef::docker_platform[] *docker:* @@ -125,6 +134,19 @@ ifdef::mac_os[] ---- endif::mac_os[] +ifdef::linux_os[] +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup -e \ + -E output.logstash.enabled=false \ + -E output.elasticsearch.hosts=['localhost:9200'] \ + -E output.elasticsearch.username={beat_default_index_prefix}_internal \ + -E output.elasticsearch.password={pwd} \ + -E setup.kibana.host=localhost:5601 +---- +endif::linux_os[] ifdef::docker_platform[] *docker:* diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc index e0ceef84837c..e0e87f66296d 100644 --- a/libbeat/docs/loggingconfig.asciidoc +++ b/libbeat/docs/loggingconfig.asciidoc @@ -14,12 +14,13 @@ == Configure logging The `logging` section of the +{beatname_lc}.yml+ config file contains options -for configuring the logging output. The logging system can write logs to -the syslog or rotate log files. If logging is not explicitly configured the file -output is used. +for configuring the logging output. +ifndef::serverless[] +The logging system can write logs to the syslog or rotate log files. If logging +is not explicitly configured the file output is used. ["source","yaml",subs="attributes"] --------------------------------------------------------------------------------- +---- logging.level: info logging.to_files: true logging.files: @@ -27,11 +28,32 @@ logging.files: name: {beatname_lc} keepfiles: 7 permissions: 0644 --------------------------------------------------------------------------------- +---- TIP: In addition to setting logging options in the config file, you can modify the logging output configuration from the command line. See <>. +endif::serverless[] + +ifdef::serverless[] +For example, the following options configure {beatname_uc} to log all the debug +messages related to event publishing: + +["source","yaml",subs="attributes"] +---- +logging.level: debug +logging.selectors: ["publish"] +---- + +The logs generated by {beatname_uc} are written to the CloudWatch log group for +the function running on Amazon Web Services (AWS). To view the logs, go to the +the monitoring area of the AWS Lambda console and view the CloudWatch log group +for the function. + +// TODO: When we add support for other cloud providers, we will need to modify +// this statement and possibly have a different attribute for each provider to +// show the correct text. +endif::serverless[] [float] === Configuration options @@ -39,6 +61,7 @@ the logging output configuration from the command line. See You can specify the following options in the `logging` section of the +{beatname_lc}.yml+ config file: +ifndef::serverless[] [float] ==== `logging.to_syslog` @@ -60,6 +83,7 @@ rotated when the log file size limit is reached. NOTE: {beatname_uc} only creates a log file if there is logging output. For example, if you set the log <> to `error` and there are no errors, there will be no log file in the directory specified for logs. +endif::serverless[] [float] [[level]] @@ -88,9 +112,11 @@ published. Also logs any warnings, errors, or critical errors. The list of debugging-only selector tags used by different {beatname_uc} components. Use `*` to enable debug output for all components. For example add `publish` to display -all the debug messages related to event publishing. When starting {beatname_lc}, -selectors can be overwritten using the `-d` command line option (`-d` also sets -the debug log level). +all the debug messages related to event publishing. +ifndef::serverless[] +When starting {beatname_lc}, selectors can be overwritten using the `-d` command +line option (`-d` also sets the debug log level). +endif::serverless[] [float] ==== `logging.metrics.enabled` @@ -110,12 +136,12 @@ Here is an example log line: Note that we currently offer no backwards compatible guarantees for the internal metrics and for this reason they are also not documented. - [float] ==== `logging.metrics.period` The period after which to log the internal metrics. The default is 30s. +ifndef::serverless[] [float] ==== `logging.files.path` @@ -163,12 +189,14 @@ Intervals must be at least 1s. Values of 1m, 1h, 24h, 7*24h, 30*24h, and 365*24h are boundary-aligned with minutes, hours, days, weeks, months, and years as reported by the local system clock. All other intervals are calculated from the unix epoch. Defaults to disabled. +endif::serverless[] [float] ==== `logging.json` When true, logs messages in JSON format. The default is false. +ifndef::serverless[] [float] ==== `logging.files.redirect_stderr` experimental[] @@ -178,6 +206,7 @@ will also be logged to the log file. This can be helpful in situations were Go's runtime but diagnostic information is not present in the log file. This feature is only available when logging to files (`logging.to_files` is true). Disabled by default. +endif::serverless[] [float] === Logging format diff --git a/libbeat/docs/reference-yml.asciidoc b/libbeat/docs/reference-yml.asciidoc index f506d61c3377..44361b4fe55d 100644 --- a/libbeat/docs/reference-yml.asciidoc +++ b/libbeat/docs/reference-yml.asciidoc @@ -5,9 +5,8 @@ The following reference file is available with your {beatname_uc} installation. shows all non-deprecated {beatname_uc} options. You can copy from this file and paste configurations into the +{beatname_lc}.yml+ file to customize it. -TIP: For rpm and deb, you'll find the reference configuration file at +/etc/{beatname_lc}/{beatname_lc}.reference.yml+. Under -Docker, it's located at +/usr/share/{beatname_lc}/{beatname_lc}.reference.yml+. For mac and win, -look in the archive that you just extracted. +TIP: The reference file is located in the same directory as the ++{beatname_lc}.yml+ file. To locate the file, see <>. The contents of the file are included here for your convenience. diff --git a/libbeat/docs/shared-template-load.asciidoc b/libbeat/docs/shared-template-load.asciidoc index f3d23d4d767e..f09aec8305eb 100644 --- a/libbeat/docs/shared-template-load.asciidoc +++ b/libbeat/docs/shared-template-load.asciidoc @@ -155,14 +155,24 @@ ifdef::mac_os[] ---- endif::mac_os[] -ifdef::mac_os[] +ifdef::linux_os[] +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} setup --template{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]' +---- +endif::linux_os[] + + +ifdef::docker_platform[] *docker:* ["source","sh",subs="attributes"] ---------------------------------------------------------------------- docker run {dockerimage} setup --template{disable_logstash} -E 'output.elasticsearch.hosts=["localhost:9200"]' ---------------------------------------------------------------------- -endif::mac_os[] +endif::docker_platform[] ifdef::win_os[] ifndef::win_only[] @@ -187,7 +197,9 @@ endif::win_os[] If you've already used {beatname_uc} to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from +{beatname_lc}-*+ to force Kibana to look -at the newest documents. Use this command: +at the newest documents. + +Use this command: ifdef::deb_os,rpm_os[] *deb and rpm:* @@ -207,6 +219,15 @@ curl -XDELETE 'http://localhost:9200/{beatname_lc}-*' ---------------------------------------------------------------------- endif::mac_os[] +ifdef::linux_os[] +*linux:* + +["source","sh",subs="attributes"] +---------------------------------------------------------------------- +curl -XDELETE 'http://localhost:9200/{beatname_lc}-*' +---------------------------------------------------------------------- +endif::linux_os[] + ifdef::win_os[] ifndef::win_only[] *win:* @@ -249,6 +270,15 @@ ifdef::mac_os[] ---- endif::mac_os[] +ifdef::linux_os[] +*linux:* + +["source","sh",subs="attributes"] +---- +./{beatname_lc} export template > {beatname_lc}.template.json +---- +endif::linux_os[] + ifdef::win_os[] ifndef::win_only[] *win:* @@ -280,6 +310,15 @@ curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/{ ---- endif::mac_os[] +ifdef::linux_os[] +*linux:* + +["source","sh",subs="attributes"] +---- +curl -XPUT -H 'Content-Type: application/json' http://localhost:9200/_template/{beatname_lc}-{stack-version} -d@{beatname_lc}.template.json +---- +endif::linux_os[] + ifdef::win_os[] ifndef::win_only[] *win:* diff --git a/metricbeat/docs/gettingstarted.asciidoc b/metricbeat/docs/gettingstarted.asciidoc index d4fef139c0b3..75065798e8e9 100644 --- a/metricbeat/docs/gettingstarted.asciidoc +++ b/metricbeat/docs/gettingstarted.asciidoc @@ -84,6 +84,25 @@ tar xzvf {beatname_lc}-{version}-darwin-x86_64.tar.gz endif::[] +[[linux]] +*linux:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes"] +------------------------------------------------ +curl -L -O https://artifacts.elastic.co/downloads/beats/{beatname_lc}/{beatname_lc}-{version}-linux-x86_64.tar.gz +tar xzvf {beatname_lc}-{version}-linux-x86_64.tar.gz +------------------------------------------------ + +endif::[] + [[docker]] *docker:* @@ -178,7 +197,7 @@ The following examples enable the `apache` and `mysql` configs in the {beatname_lc} modules enable apache mysql ---- + -*mac:* +*mac and linux:* + ["source","sh",subs="attributes"] ---- @@ -243,13 +262,13 @@ sudo service {beatname_lc} start See <>. -*mac:* +*mac and linux:* ["source","sh",subs="attributes,callouts"] ---------------------------------------------------------------------- sudo chown root {beatname_lc}.yml <1> sudo chown root modules.d/system.yml <1> -sudo ./{beatname_lc} -e -c {beatname_lc}.yml +sudo ./{beatname_lc} -e ---------------------------------------------------------------------- <1> You'll be running {beatname_uc} as root, so you need to change ownership of the configuration file and any configurations enabled in the `modules.d` directory, diff --git a/metricbeat/docs/index.asciidoc b/metricbeat/docs/index.asciidoc index 7075cb96d880..bcf379225974 100644 --- a/metricbeat/docs/index.asciidoc +++ b/metricbeat/docs/index.asciidoc @@ -15,6 +15,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] :deb_os: :rpm_os: :mac_os: +:linux_os: :docker_platform: :win_os: diff --git a/packetbeat/docs/gettingstarted.asciidoc b/packetbeat/docs/gettingstarted.asciidoc index ba7ec090a739..60c3b978ce08 100644 --- a/packetbeat/docs/gettingstarted.asciidoc +++ b/packetbeat/docs/gettingstarted.asciidoc @@ -96,6 +96,25 @@ tar xzvf packetbeat-{version}-darwin-x86_64.tar.gz endif::[] +[[linux]] +*linux:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source","sh",subs="attributes,callouts"] +---------------------------------------------------------------------- +curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-{version}-linux-x86_64.tar.gz +tar xzvf packetbeat-{version}-linux-x86_64.tar.gz +---------------------------------------------------------------------- + +endif::[] + [[win]] *win:* @@ -272,12 +291,12 @@ sudo service {beatname_lc} start docker run {dockerimage} ---------------------------------------------------------------------- -*mac:* +*mac and linux:* [source,shell] ---------------------------------------------------------------------- sudo chown root packetbeat.yml <1> -sudo ./packetbeat -e -c packetbeat.yml +sudo ./packetbeat -e ---------------------------------------------------------------------- <1> You'll be running Packetbeat as root, so you need to change ownership of the configuration file, or run Packetbeat with `--strict.perms=false` specified. See diff --git a/packetbeat/docs/index.asciidoc b/packetbeat/docs/index.asciidoc index 920377164a6c..e1fb05c3459c 100644 --- a/packetbeat/docs/index.asciidoc +++ b/packetbeat/docs/index.asciidoc @@ -15,6 +15,7 @@ include::{asciidoc-dir}/../../shared/attributes.asciidoc[] :deb_os: :rpm_os: :mac_os: +:linux_os: :docker_platform: :win_os: