From 32558b5b049f2d8aeb9965b3124166efaa792f22 Mon Sep 17 00:00:00 2001 From: Toby McLaughlin Date: Tue, 23 May 2017 18:19:22 +1000 Subject: [PATCH 1/3] Add docs for Docker images (#4312) --- filebeat/docs/getting-started.asciidoc | 47 ++++++++------ filebeat/docs/index.asciidoc | 3 + filebeat/docs/running-on-docker.asciidoc | 1 + heartbeat/docs/getting-started.asciidoc | 41 +++++++------ heartbeat/docs/index.asciidoc | 5 +- heartbeat/docs/running-on-docker.asciidoc | 1 + libbeat/docs/dashboards.asciidoc | 23 ++++--- libbeat/docs/shared-configuring.asciidoc | 10 +++ libbeat/docs/shared-directory-layout.asciidoc | 14 ++++- libbeat/docs/shared-docker.asciidoc | 61 +++++++++++++++++++ .../docs/shared-download-and-install.asciidoc | 13 ++++ libbeat/docs/shared-template-load.asciidoc | 7 +++ metricbeat/docs/gettingstarted.asciidoc | 50 ++++++++------- metricbeat/docs/index.asciidoc | 5 +- ...er.asciidoc => running-on-docker.asciidoc} | 57 +++++++---------- packetbeat/docs/gettingstarted.asciidoc | 45 ++++++++------ packetbeat/docs/index.asciidoc | 3 + packetbeat/docs/running-on-docker.asciidoc | 29 +++++++++ 18 files changed, 287 insertions(+), 128 deletions(-) create mode 100644 filebeat/docs/running-on-docker.asciidoc create mode 100644 heartbeat/docs/running-on-docker.asciidoc create mode 100644 libbeat/docs/shared-configuring.asciidoc create mode 100644 libbeat/docs/shared-docker.asciidoc create mode 100644 libbeat/docs/shared-download-and-install.asciidoc rename metricbeat/docs/{metricbeat-in-a-container.asciidoc => running-on-docker.asciidoc} (69%) create mode 100644 packetbeat/docs/running-on-docker.asciidoc diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index 25fdf6c6a755..bcc9908e8d98 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -27,17 +27,7 @@ After installing the Elastic Stack, read the following topics to learn how to in Before running Filebeat, you need to install and configure the Elastic stack. See {libbeat}/getting-started.html[Getting Started with Beats and the Elastic Stack]. -To download and install Filebeat, use the commands that work with your system -(<> for Debian/Ubuntu, <> for Redhat/Centos/Fedora, <> for OS X, and <> for Windows). - -[NOTE] -================================================== -If you use Apt or Yum, you can <> to update to the newest version more easily. - -See our https://www.elastic.co/downloads/beats/filebeat[download page] for other installation options, such as 32-bit images. - -================================================== +include::../../libbeat/docs/shared-download-and-install.asciidoc[] [[deb]] *deb:* @@ -96,6 +86,24 @@ tar xzvf filebeat-{version}-darwin-x86_64.tar.gz endif::[] +[[docker]] +*docker:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source", "shell", subs="attributes"] +------------------------------------------------ +docker pull {dockerimage} +------------------------------------------------ + +endif::[] + [[win]] *win:* @@ -139,15 +147,7 @@ started, you can skip the content in this section, including the remaining getting started steps, and go directly to the <> page. -To configure Filebeat manually, you edit the configuration file. For rpm and deb, -you'll find the configuration file at `/etc/filebeat/filebeat.yml`. For mac and -win, look in the archive that you just extracted. There’s also a full example -configuration file called `filebeat.full.yml` that shows all non-deprecated -options. - -See the -{libbeat}/config-file-format.html[Config File Format] section of the -_Beats Platform Reference_ for more about the structure of the config file. +include::../../libbeat/docs/shared-configuring.asciidoc[] Here is a sample of the `filebeat` section of the `filebeat.yml` file. Filebeat uses predefined default values for most configuration options. @@ -240,6 +240,13 @@ sudo /etc/init.d/filebeat start sudo /etc/init.d/filebeat start ---------------------------------------------------------------------- +*docker:* + +["source", "shell", subs="attributes"] +---------------------------------------------------------------------- +docker run {dockerimage} +---------------------------------------------------------------------- + *mac:* [source,shell] diff --git a/filebeat/docs/index.asciidoc b/filebeat/docs/index.asciidoc index f33c2b3059ce..e208215a077f 100644 --- a/filebeat/docs/index.asciidoc +++ b/filebeat/docs/index.asciidoc @@ -15,6 +15,7 @@ include::../../libbeat/docs/version.asciidoc[] :beatname_lc: filebeat :beatname_uc: Filebeat :security: X-Pack Security +:dockerimage: docker.elastic.co/beats/{beatname_lc}:{version} include::./overview.asciidoc[] @@ -28,6 +29,8 @@ include::../../libbeat/docs/shared-directory-layout.asciidoc[] include::../../libbeat/docs/repositories.asciidoc[] +include::./running-on-docker.asciidoc[] + include::./upgrading.asciidoc[] include::./how-filebeat-works.asciidoc[] diff --git a/filebeat/docs/running-on-docker.asciidoc b/filebeat/docs/running-on-docker.asciidoc new file mode 100644 index 000000000000..6bbc976ad853 --- /dev/null +++ b/filebeat/docs/running-on-docker.asciidoc @@ -0,0 +1 @@ +include::../../libbeat/docs/shared-docker.asciidoc[] diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc index 2bd228c464e8..89ba6c0a7498 100644 --- a/heartbeat/docs/getting-started.asciidoc +++ b/heartbeat/docs/getting-started.asciidoc @@ -32,17 +32,7 @@ monitor are running. //TODO: Add a separate topic that explores deployment scenarios in more detail (like installing on a sub-network where there's a firewall etc. -To download and install Heartbeat, use the commands that work with your -system (<> for Debian/Ubuntu, <> for Redhat/Centos/Fedora, -<> for OS X, and <> for Windows). - -[NOTE] -================================================== -If you use Apt or Yum, you can <> to update to the newest version more easily. - -See our https://www.elastic.co/downloads/beats/heartbeat[download page] for other installation options, such as 32-bit images. - -================================================== +include::../../libbeat/docs/shared-download-and-install.asciidoc[] [[deb]] *deb:* @@ -101,6 +91,25 @@ tar xzvf heartbeat-{version}-darwin-x86_64.tar.gz endif::[] + +[[docker]] +*docker:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source", "shell", subs="attributes"] +------------------------------------------------ +docker pull {dockerimage} +------------------------------------------------ + +endif::[] + [[win]] *win:* @@ -147,15 +156,7 @@ options, see <>. [[heartbeat-configuration]] === Step 2: Configuring Heartbeat -To configure Heartbeat, you edit the configuration file. For rpm and deb, -you'll find the configuration file at +/etc/heartbeat/heartbeat.yml+. -For mac and win, look in the archive that you just extracted. There’s also a -full example configuration file called `heartbeat.full.yml` that shows all -non-deprecated options. - -See the -{libbeat}/config-file-format.html[Config File Format] section of the -_Beats Platform Reference_ for more about the structure of the config file. +include::../../libbeat/docs/shared-configuring.asciidoc[] Heartbeat provides monitors to check the status of hosts at set intervals. You configure each monitor individually. Heartbeat currently provides monitors diff --git a/heartbeat/docs/index.asciidoc b/heartbeat/docs/index.asciidoc index 680217e1d8f1..90a4318504f7 100644 --- a/heartbeat/docs/index.asciidoc +++ b/heartbeat/docs/index.asciidoc @@ -15,6 +15,7 @@ include::../../libbeat/docs/version.asciidoc[] :beatname_lc: heartbeat :beatname_uc: Heartbeat :security: X-Pack Security +:dockerimage: docker.elastic.co/beats/{beatname_lc}:{version} include::./overview.asciidoc[] @@ -26,6 +27,8 @@ include::../../libbeat/docs/shared-directory-layout.asciidoc[] include::../../libbeat/docs/repositories.asciidoc[] +include::./running-on-docker.asciidoc[] + // //include::./upgrading.asciidoc[] @@ -57,5 +60,5 @@ include::./troubleshooting.asciidoc[] include::./faq.asciidoc[] -// +// //include::./heartbeat-devguide.asciidoc[] diff --git a/heartbeat/docs/running-on-docker.asciidoc b/heartbeat/docs/running-on-docker.asciidoc new file mode 100644 index 000000000000..6bbc976ad853 --- /dev/null +++ b/heartbeat/docs/running-on-docker.asciidoc @@ -0,0 +1 @@ +include::../../libbeat/docs/shared-docker.asciidoc[] diff --git a/libbeat/docs/dashboards.asciidoc b/libbeat/docs/dashboards.asciidoc index 210649156b91..d4ac6e2684db 100644 --- a/libbeat/docs/dashboards.asciidoc +++ b/libbeat/docs/dashboards.asciidoc @@ -16,7 +16,7 @@ {beatname_uc} comes packaged with the `scripts/import_dashboards` script that you can use to import the example dashboards, visualizations, and searches for {beatname_uc}. The script also creates an index pattern, -+{beatname_lc}-*+, for {beatname_uc}. ++{beatname_lc}-*+, for {beatname_uc}. The steps in this section show how to import {beatname_uc} dashboards. You may want to import dashboards for more than one Beat or specify import options that aren't described here. See {libbeat}/import-dashboards.html[Importing Existing Beat Dashboards] @@ -28,21 +28,28 @@ ifdef::allplatforms[] *deb, rpm, and mac:* -From the directory where you installed {beatname_uc}, run the `import_dashboards` script. +From the directory where you installed {beatname_uc}, run the `import_dashboards` script. ["source","sh",subs="attributes,callouts"] ---------------------------------------------------------------------- ./scripts/import_dashboards ---------------------------------------------------------------------- -On deb and rpm, the `scripts` folder is located under the home path, which is +/usr/share/{beatname_lc}/+ unless you change it. +*docker:* + +["source","sh",subs="attributes"] +---------------------------------------------------------------------- +docker run {dockerimage} ./scripts/import_dashboards +---------------------------------------------------------------------- + +On deb, rpm, and docker, the `scripts` folder is located under the home path, which is +/usr/share/{beatname_lc}/+ unless you change it. By default, the script assumes that you are running Elasticsearch on `127.0.0.1:9200`. Use the `-es` option -to specify a different location. For example: +to specify a different location. For example: ["source","sh",subs="attributes,callouts"] ---------------------------------------------------------------------- -./scripts/import_dashboards -es http://192.168.33.60:9200 +./scripts/import_dashboards -es http://192.168.33.60:9200 ---------------------------------------------------------------------- Use the `-user` option to specify the username and password to use for Elasticsearch authentication. There are a few ways to pass @@ -51,7 +58,7 @@ in the username and password. For example: ["source","sh",subs="attributes,callouts"] ----------------------------------------------------------------------- ./scripts/import_dashboards -es https://xyz.found.io -user user -pass password <1> -./scripts/import_dashboards -es https://xyz.found.io -user admin -pass $(cat ~/pass-file) <2> +./scripts/import_dashboards -es https://xyz.found.io -user admin -pass $(cat ~/pass-file) <2> ----------------------------------------------------------------------- <1> Specify the username and password as options. @@ -63,7 +70,7 @@ endif::allplatforms[] Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select *Run As Administrator*). If you are running Windows XP, you may need -to download and install PowerShell. +to download and install PowerShell. From the PowerShell prompt, change to the directory where you installed {beatname_uc}, and run the `import_dashboards.exe` script: @@ -103,6 +110,6 @@ pattern is selected to see {beatname_uc} data. image:./images/kibana-created-indexes.png[Discover tab with index selected] To open the loaded dashboards, go to the *Dashboard* page and select the -dashboard that you want to open. +dashboard that you want to open. image:./images/kibana-navigation-vis.png[Navigation widget in Kibana] diff --git a/libbeat/docs/shared-configuring.asciidoc b/libbeat/docs/shared-configuring.asciidoc new file mode 100644 index 000000000000..265bbc2b5468 --- /dev/null +++ b/libbeat/docs/shared-configuring.asciidoc @@ -0,0 +1,10 @@ +To configure {beatname_uc}, you edit the configuration file. For rpm and deb, +you'll find the configuration file at +/etc/{beatname_lc}/{beatname_lc}.yml+. Under +Docker, it's located at +/usr/share/{beatname_lc}/{beatname_lc}.yml+. For mac and win, +look in the archive that you just extracted. There’s also a full example +configuration file called +{beatname_lc}.full.yml+ that shows all non-deprecated +options. + +See the +{libbeat}/config-file-format.html[Config File Format] section of the +_Beats Platform Reference_ for more about the structure of the config file. diff --git a/libbeat/docs/shared-directory-layout.asciidoc b/libbeat/docs/shared-directory-layout.asciidoc index fcc6218ec286..06822e77b741 100644 --- a/libbeat/docs/shared-directory-layout.asciidoc +++ b/libbeat/docs/shared-directory-layout.asciidoc @@ -29,7 +29,7 @@ file. ==== Default paths -{beatname_uc} uses the following default paths unless you explicitly change them. +{beatname_uc} uses the following default paths unless you explicitly change them. [float] ===== deb and rpm @@ -48,6 +48,18 @@ the systemd unit file. Make sure that you start the {beatname_uc} service by us the preferred operating system method (init scripts or `systemctl`). Otherwise the paths might be set incorrectly. +[float] +===== docker +[cols="> for Debian/Ubuntu, <> for Redhat/Centos/Fedora, <> for OS X, <> for any Docker platform, and <> for +Windows). + +[NOTE] +================================================== +If you use Apt or Yum, you can <> to update to the newest version more easily. + +See our https://www.elastic.co/downloads/beats/{beatname_lc}[download page] for +other installation options, such as 32-bit images. +================================================== diff --git a/libbeat/docs/shared-template-load.asciidoc b/libbeat/docs/shared-template-load.asciidoc index 3ce8def274c5..6970581d18d0 100644 --- a/libbeat/docs/shared-template-load.asciidoc +++ b/libbeat/docs/shared-template-load.asciidoc @@ -78,6 +78,13 @@ cd {beatname_lc}-{version}-darwin-x86_64 curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/{beatname_lc}' -d@{beatname_lc}.template.json ---------------------------------------------------------------------- +*docker:* + +["source", "sh", subs="attributes"] +---------------------------------------------------------------------- +docker run --rm {dockerimage} curl -H 'Content-Type: application/json' -XPUT 'http://localhost:9200/_template/{beatname_lc}' -d@{beatname_lc}.template.json +---------------------------------------------------------------------- + *win:* endif::allplatforms[] diff --git a/metricbeat/docs/gettingstarted.asciidoc b/metricbeat/docs/gettingstarted.asciidoc index d80d88081c7e..59cee7073bec 100644 --- a/metricbeat/docs/gettingstarted.asciidoc +++ b/metricbeat/docs/gettingstarted.asciidoc @@ -34,19 +34,7 @@ traffic or prevent Metricbeat from collecting metrics when there are network problems. Metrics from multiple Metricbeat instances will be combined on the Elasticsearch server. -To download and install Metricbeat, use the commands that work with your system -(<> for Debian/Ubuntu, <> for Redhat/Centos/Fedora, <> for OS X, and <> for Windows). - -[NOTE] -================================================== -If you use Apt or Yum, you can -<> to -update to the newest version more easily. - -See our https://www.elastic.co/downloads/beats/metricbeat[download page] for -other installation options, such as 32-bit images. -================================================== +include::../../libbeat/docs/shared-download-and-install.asciidoc[] [[deb]] *deb:* @@ -105,6 +93,24 @@ tar xzvf metricbeat-{version}-darwin-x86_64.tar.gz endif::[] +[[docker]] +*docker:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source", "shell", subs="attributes"] +------------------------------------------------ +docker pull {dockerimage} +------------------------------------------------ + +endif::[] + [[win]] *win:* @@ -151,15 +157,7 @@ For more information about these options, see [[metricbeat-configuration]] === Step 2: Configuring Metricbeat -To configure Metricbeat, you edit the configuration file. For rpm and deb, -you'll find the configuration file at `/etc/metricbeat/metricbeat.yml`. For mac -and win, look in the archive that you just extracted. There’s also a full -example configuration file called `metricbeat.full.yml` that shows all -non-deprecated options. - -See the -{libbeat}/config-file-format.html[Config File Format] section of the -_Beats Platform Reference_ for more about the structure of the config file. +include::../../libbeat/docs/shared-configuring.asciidoc[] Metricbeat uses <> to collect metrics. You configure each module individually. The following example shows the default configuration @@ -249,6 +247,7 @@ start Metricbeat in the foreground. ---------------------------------------------------------------------- sudo /etc/init.d/metricbeat start ---------------------------------------------------------------------- + *rpm:* [source,shell] @@ -256,6 +255,13 @@ sudo /etc/init.d/metricbeat start sudo /etc/init.d/metricbeat start ---------------------------------------------------------------------- +*docker:* + +["source", "shell", subs="attributes"] +---------------------------------------------------------------------- +docker run {dockerimage} +---------------------------------------------------------------------- + *mac:* [source,shell] diff --git a/metricbeat/docs/index.asciidoc b/metricbeat/docs/index.asciidoc index 9454e1709310..68e699dec69e 100644 --- a/metricbeat/docs/index.asciidoc +++ b/metricbeat/docs/index.asciidoc @@ -11,6 +11,7 @@ include::../../libbeat/docs/version.asciidoc[] :beatname_lc: metricbeat :beatname_uc: Metricbeat :security: X-Pack Security +:dockerimage: docker.elastic.co/beats/{beatname_lc}:{version} include::./overview.asciidoc[] @@ -22,12 +23,12 @@ include::../../libbeat/docs/shared-directory-layout.asciidoc[] include::../../libbeat/docs/repositories.asciidoc[] +include::./running-on-docker.asciidoc[] + include::./upgrading.asciidoc[] include::./how-metricbeat-works.asciidoc[] -include::./metricbeat-in-a-container.asciidoc[] - include::./configuring-howto.asciidoc[] include::./metricbeat-filtering.asciidoc[] diff --git a/metricbeat/docs/metricbeat-in-a-container.asciidoc b/metricbeat/docs/running-on-docker.asciidoc similarity index 69% rename from metricbeat/docs/metricbeat-in-a-container.asciidoc rename to metricbeat/docs/running-on-docker.asciidoc index d15a43b36f40..f9c5c7d50a41 100644 --- a/metricbeat/docs/metricbeat-in-a-container.asciidoc +++ b/metricbeat/docs/running-on-docker.asciidoc @@ -1,45 +1,25 @@ -[[running-in-container]] -== Running Metricbeat in a Container - -ifeval::["{release-state}"=="released"] - -[NOTE] -================================================== -The https://github.com/elastic/beats-docker[official Docker images] for Beats -are available from the Elastic Docker registry. To retrieve the images, simply -issue the `docker pull` command: - -+docker pull docker.elastic.co/beats/metricbeat:{stack-version}+. - -The images are currently under development and should be considered -alpha-quality. We strongly recommend that you do not run these images -in a production environment. - -================================================== - -endif::[] +include::../../libbeat/docs/shared-docker.asciidoc[] +[float] +[[monitoring-host]] +=== Monitoring the Host Machine When executing Metricbeat in a container, there are some important things to be aware of if you want to monitor the host machine or other containers. Let's walk-through some examples using Docker as our container orchestration tool. -[float] -[[monitoring-host]] -=== Monitoring the Host Machine - This example highlights the changes required to make the system module work properly inside of a container. This enables Metricbeat to monitor the host machine from within the container. ["source","sh",subs="attributes"] ---- -sudo docker run \ +docker run \ --volume=/proc:/hostfs/proc:ro \ <1> --volume=/sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro \ <2> --volume=/:/hostfs:ro \ <3> --net=host <4> - docker.elastic.co/beats/metricbeat:{stack-version} -system.hostfs=/hostfs + {dockerimage} -system.hostfs=/hostfs ---- <1> Metricbeat's <> collects much of its data through the Linux proc @@ -49,8 +29,8 @@ container's `/proc` is different than the host's `/proc`. To account for this, y can mount the host's `/proc` filesystem inside of the container and tell Metricbeat to look inside the `/hostfs` directory when looking for `/proc` by using the `-system.hostfs=/hostfs` CLI flag. -<2> If cgroup reporting is enabled for the -<>, then you need +<2> By default, cgroup reporting is enabled for the +<>, so you need to mount the host's cgroup mountpoints within the container. They need to be mounted inside the directory specified by the `-system.hostfs` CLI flag. <3> If you want to be able to monitor filesystems from the host by using the @@ -62,23 +42,28 @@ to make this file contain the host's network devices is to use the `--net=host` flag. This is due to Linux namespacing; simply bind mounting the host's `/proc` to `/hostfs/proc` is not sufficient. +NOTE: The special filesystems +/proc+ and +/sys+ are only available if the +host system is running Linux. Attempts to bind-mount these filesystems will +fail on Windows and MacOS. + [float] [[monitoring-service]] === Monitoring a Service in Another Container -Next let's look at an example of monitoring a containerized service from a +Next, let's look at an example of monitoring a containerized service from a Metricbeat container. ["source","sh",subs="attributes"] ---- -sudo docker run \ - --link some-mysql:mysql \ <1> +docker run \ + --network=mysqlnet \ <1> -e MYSQL_PASSWORD=secret \ <2> - docker.elastic.co/beats/metricbeat:{stack-version}  + {dockerimage} ---- -<1> Linking the containers enables Metricbeat access the exposed ports of the -mysql container, and it makes the hostname `mysql` resolvable to Metricbeat. +<1> Placing the Metricbeat and MySQL containers on the same Docker network +allows Metricbeat access to the exposed ports of the MySQL container, and +makes the hostname `mysql` resolvable to Metricbeat. <2> If you do not want to hardcode certain values into your Metricbeat configuration, then you can pass them into the container either as environment variables or as command line flags to Metricbeat (see the `-E` CLI flag in <>). @@ -95,7 +80,7 @@ metricbeat.modules: password: ${MYSQL_PASSWORD} <2> ---- -<1> The `mysql` hostname will resolve to the `some-mysql` container's address. +<1> The `mysql` hostname will resolve to the address of a container +named `mysql` on the `mysqlnet` Docker network. <2> The `MYSQL_PASSWORD` variable will be evaluated at startup. If the variable is not set, this will lead to an error at startup. - diff --git a/packetbeat/docs/gettingstarted.asciidoc b/packetbeat/docs/gettingstarted.asciidoc index f08e8ece675f..881306929cc4 100644 --- a/packetbeat/docs/gettingstarted.asciidoc +++ b/packetbeat/docs/gettingstarted.asciidoc @@ -25,16 +25,7 @@ After installing the Elastic Stack, read the following topics to learn how to in [[packetbeat-installation]] === Step 1: Installing Packetbeat -To download and install Packetbeat on your application servers, use the commands -that work with your system (<> for Debian/Ubuntu, <> for -Redhat/Centos/Fedora, <> for OS X, and <> for Windows). - -[NOTE] -================================================== -If you use Apt or Yum, you can <> to update to the newest version more easily. - -See our https://www.elastic.co/downloads/beats/packetbeat[download page] for other installation options, such as 32-bit images. -================================================== +include::../../libbeat/docs/shared-download-and-install.asciidoc[] [[deb]] *deb:* @@ -76,6 +67,24 @@ sudo rpm -vi packetbeat-{version}-x86_64.rpm endif::[] +[[docker]] +*docker:* + +ifeval::["{release-state}"=="unreleased"] + +Version {stack-version} of {beatname_uc} has not yet been released. + +endif::[] + +ifeval::["{release-state}"!="unreleased"] + +["source", "shell", subs="attributes"] +------------------------------------------------ +docker pull {dockerimage} +------------------------------------------------ + +endif::[] + [[mac]] *mac:* @@ -138,14 +147,7 @@ more information about these options, see <>. [[configuring-packetbeat]] === Step 2: Configuring Packetbeat -To configure Packetbeat, you edit the configuration file. For rpm and deb, you'll -find the configuration file at `/etc/packetbeat/packetbeat.yml`. For mac and win, look in -the archive that you just extracted. There’s also a full example configuration file called -`packetbeat.full.yml` that shows all non-deprecated options. - -See the -{libbeat}/config-file-format.html[Config File Format] section of the -_Beats Platform Reference_ for more about the structure of the config file. +include::../../libbeat/docs/shared-configuring.asciidoc[] To configure Packetbeat: @@ -272,6 +274,13 @@ sudo /etc/init.d/packetbeat start sudo /etc/init.d/packetbeat start ---------------------------------------------------------------------- +*docker:* + +["source", "shell", subs="attributes"] +---------------------------------------------------------------------- +docker run {dockerimage} +---------------------------------------------------------------------- + *mac:* [source,shell] diff --git a/packetbeat/docs/index.asciidoc b/packetbeat/docs/index.asciidoc index d79960ea100f..063549a4d849 100644 --- a/packetbeat/docs/index.asciidoc +++ b/packetbeat/docs/index.asciidoc @@ -16,6 +16,7 @@ include::../../libbeat/docs/version.asciidoc[] :beatname_lc: packetbeat :beatname_uc: Packetbeat :security: X-Pack Security +:dockerimage: docker.elastic.co/beats/{beatname_lc}:{version} include::./overview.asciidoc[] @@ -28,6 +29,8 @@ include::../../libbeat/docs/shared-directory-layout.asciidoc[] include::../../libbeat/docs/repositories.asciidoc[] +include::./running-on-docker.asciidoc[] + include::./upgrading.asciidoc[] include::./configuring-howto.asciidoc[] diff --git a/packetbeat/docs/running-on-docker.asciidoc b/packetbeat/docs/running-on-docker.asciidoc new file mode 100644 index 000000000000..fd939cc46f4d --- /dev/null +++ b/packetbeat/docs/running-on-docker.asciidoc @@ -0,0 +1,29 @@ +include::../../libbeat/docs/shared-docker.asciidoc[] + +=== Required Network Capabilities + +Under Docker, Packetbeat runs as a non-root user, but requires some privileged +network capabilities to operate correctly. Ensure that the +NET_ADMIN+ +capability is available to the container. + +["source","sh",subs="attributes"] +---- +docker run --cap-add=NET_ADMIN {dockerimage} +---- + +=== Capturing Traffic from the Host System + +By default, Docker networking will connect the Packetbeat container to an +isolated virtual network, with a limited view of network traffic. You may wish +to connect the container directly to the host network in order to see traffic +destined for, and originating from, the host system. With +docker run+, this can +be achieved by specifying +--network=host+. + +["source","sh",subs="attributes"] +---- +docker run --cap-add=NET_ADMIN --network=host {dockerimage} +---- + +NOTE: On Windows and MacOS, specifying +--network=host+ will bind the +container's network interface to the virtual interface of Docker's embedded +Linux virtual machine, not to the physical interface of the host system. From 07d93c25a473445908d69a58df3f395d87b17694 Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Fri, 26 May 2017 13:24:48 -0700 Subject: [PATCH 2/3] Provide more detail on log levels --- filebeat/docs/command-line.asciidoc | 2 +- filebeat/docs/getting-started.asciidoc | 4 +-- filebeat/docs/migration.asciidoc | 2 +- heartbeat/docs/command-line.asciidoc | 2 +- heartbeat/docs/getting-started.asciidoc | 4 +-- libbeat/docs/loggingconfig.asciidoc | 43 ++++++++++++++++++------ packetbeat/docs/command-line.asciidoc | 2 +- packetbeat/docs/gettingstarted.asciidoc | 4 +-- winlogbeat/docs/command-line.asciidoc | 2 +- winlogbeat/docs/getting-started.asciidoc | 2 +- 10 files changed, 44 insertions(+), 23 deletions(-) diff --git a/filebeat/docs/command-line.asciidoc b/filebeat/docs/command-line.asciidoc index 32bf1b78d38c..60eabbbca35c 100644 --- a/filebeat/docs/command-line.asciidoc +++ b/filebeat/docs/command-line.asciidoc @@ -1,4 +1,4 @@ -[[filebeat-command-line]] +[[command-line-options]] === Command Line Options The following command line option is specific to Filebeat. diff --git a/filebeat/docs/getting-started.asciidoc b/filebeat/docs/getting-started.asciidoc index bcc9908e8d98..1de38f458411 100644 --- a/filebeat/docs/getting-started.asciidoc +++ b/filebeat/docs/getting-started.asciidoc @@ -18,7 +18,7 @@ After installing the Elastic Stack, read the following topics to learn how to in * <> * <> * <> -* <> +* <> * <> [[filebeat-installation]] @@ -223,7 +223,7 @@ include::../../libbeat/docs/shared-template-load.asciidoc[] Start Filebeat by issuing the appropriate command for your platform. NOTE: If you use an init.d script to start Filebeat on deb or rpm, you can't -specify command line flags (see <>). To specify flags, +specify command line flags (see <>). To specify flags, start Filebeat in the foreground. *deb:* diff --git a/filebeat/docs/migration.asciidoc b/filebeat/docs/migration.asciidoc index 8f4b18ba6799..254f87f9305f 100644 --- a/filebeat/docs/migration.asciidoc +++ b/filebeat/docs/migration.asciidoc @@ -304,7 +304,7 @@ options with Logstash Forwarder, make sure that you add your options to the configuration file. For naming changes, see <>. Filebeat does provide command line options that are common to all Beats. For more details about -these options, see <>. +these options, see <>. [[renamed-options]] [float] diff --git a/heartbeat/docs/command-line.asciidoc b/heartbeat/docs/command-line.asciidoc index e04b93370123..4e3fb5a71fa8 100644 --- a/heartbeat/docs/command-line.asciidoc +++ b/heartbeat/docs/command-line.asciidoc @@ -1,4 +1,4 @@ -[[heartbeat-command-line]] +[[command-line-options]] === Command Line Options Heartbeat does not have any Heartbeat-specific command line options. diff --git a/heartbeat/docs/getting-started.asciidoc b/heartbeat/docs/getting-started.asciidoc index 89ba6c0a7498..f0f76a0be7f0 100644 --- a/heartbeat/docs/getting-started.asciidoc +++ b/heartbeat/docs/getting-started.asciidoc @@ -18,7 +18,7 @@ install, configure, and run Heartbeat: * <> * <> * <> -* <> +* <> * <> @@ -234,7 +234,7 @@ include::../../libbeat/docs/shared-template-load.asciidoc[] Start Heartbeat by issuing the appropriate command for your platform. NOTE: If you use an init.d script to start Heartbeat on deb or rpm, you can't -specify command line flags (see <>). To specify flags, +specify command line flags (see <>). To specify flags, start Heartbeat in the foreground. *deb:* diff --git a/libbeat/docs/loggingconfig.asciidoc b/libbeat/docs/loggingconfig.asciidoc index df7d7e11f12b..2a27cf7d5c04 100644 --- a/libbeat/docs/loggingconfig.asciidoc +++ b/libbeat/docs/loggingconfig.asciidoc @@ -15,8 +15,8 @@ The `logging` section of the +{beatname_lc}.yml+ config file contains options for configuring the Beats logging output. The logging system can write logs to -syslog or rotate log files. If logging is not explicitly configured, file output -is used on Windows systems, and syslog output is used on Linux and OS X. +the syslog or rotate log files. If logging is not explicitly configured, file +output is used on Windows systems, and syslog output is used on Linux and OS X. [source,yaml] ------------------------------------------------------------------------------ @@ -29,8 +29,9 @@ logging.files: keepfiles: 7 ------------------------------------------------------------------------------ -In addition to the logging system, the logging output configuration can be -modified from the command line. +TIP: In addition to setting logging options in the config file, you can modify +the logging output configuration from the command line. See +<>. ==== Logging Options @@ -38,20 +39,40 @@ You can specify the following options in the `logging` section of the +{beatname ===== to_syslog -If enabled, sends all logging output to syslog. The default -value is false. +When true, writes all logging output to the syslog. ===== to_files -Writes all logging output to files subject to file rotation. The -default value is true. +When true, writes all logging output to files. The log files are automatically +rotated when the log file size limit is reached. +NOTE: {beatname_uc} only creates a log file if there is logging output. For +example, if you set the log <> to `error` and there are no errors, +there will be no log file in the directory specified for logs. + +[[level]] ===== level -Minimum log level. One of debug, info, warning, error or critical. If debug is -used, but no selectors are configured, the `*` selector will be used. -The default log level is "info". +Minimum log level. One of `debug`, `info`, `warning`, `error`, or `critical`. +The default log level is `info`. + +`debug`:: Logs debug messages, including a detailed printout of all events +flushed by the Beat. Also logs informational messages, warnings, errors, and +critical errors. When the log level is `debug`, you can specify a list of +<> to display debug messages for specific components. +If no selectors are specified, the `*` selector is used to display debug +messages for all components. + +`info`:: Logs informational messages, including the number of events +that are published. Also logs any warnings, errors, or critical errors. + +`warning`:: Logs warnings, errors, and critical errors. + +`error`:: Logs errors and critical errors. + +`critical`:: Logs critical errors only. +[[selectors]] ===== selectors The list of debugging-only selector tags used by different Beats components. Use `*` diff --git a/packetbeat/docs/command-line.asciidoc b/packetbeat/docs/command-line.asciidoc index e9738a2948c6..f3d347dd0331 100644 --- a/packetbeat/docs/command-line.asciidoc +++ b/packetbeat/docs/command-line.asciidoc @@ -1,4 +1,4 @@ -[[packetbeat-command]] +[[command-line-options]] === Command Line Options The following command line options are available for Packetbeat. To use these options, diff --git a/packetbeat/docs/gettingstarted.asciidoc b/packetbeat/docs/gettingstarted.asciidoc index 881306929cc4..8b087e04011d 100644 --- a/packetbeat/docs/gettingstarted.asciidoc +++ b/packetbeat/docs/gettingstarted.asciidoc @@ -19,7 +19,7 @@ After installing the Elastic Stack, read the following topics to learn how to in * <> * <> * <> -* <> +* <> * <> [[packetbeat-installation]] @@ -257,7 +257,7 @@ include::../../libbeat/docs/shared-template-load.asciidoc[] Run Packetbeat by issuing the command that is appropriate for your platform. NOTE: If you use an init.d script to start Packetbeat on deb or rpm, you can't -specify command line flags (see <>). To specify flags, +specify command line flags (see <>). To specify flags, start Packetbeat in the foreground. *deb:* diff --git a/winlogbeat/docs/command-line.asciidoc b/winlogbeat/docs/command-line.asciidoc index 32b63d7c6b0c..a45e37b844da 100644 --- a/winlogbeat/docs/command-line.asciidoc +++ b/winlogbeat/docs/command-line.asciidoc @@ -1,4 +1,4 @@ -[[winlogbeat-command-line-options]] +[[command-line-options]] === Command Line Options Winlogbeat does not have any Winlogbeat-specific command line options. Instead, diff --git a/winlogbeat/docs/getting-started.asciidoc b/winlogbeat/docs/getting-started.asciidoc index 0696f8e096b3..bc5f5b656d7d 100644 --- a/winlogbeat/docs/getting-started.asciidoc +++ b/winlogbeat/docs/getting-started.asciidoc @@ -19,7 +19,7 @@ After installing the Elastic Stack, read the following topics to learn how to in * <> * <> * <> -* <> +* <> * <> [[winlogbeat-installation]] From 8a27a856a416aa11b582af3dc0cf749be7dc03dc Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Fri, 26 May 2017 20:15:00 -0700 Subject: [PATCH 3/3] Add simple examples that illustrate multiline settings --- filebeat/docs/images/false-after-multi.png | Bin 0 -> 3115 bytes filebeat/docs/images/false-before-multi.png | Bin 0 -> 3163 bytes filebeat/docs/images/true-after-multi.png | Bin 0 -> 3535 bytes filebeat/docs/images/true-before-multi.png | Bin 0 -> 3636 bytes .../configuration/filebeat-options.asciidoc | 10 +++++----- 5 files changed, 5 insertions(+), 5 deletions(-) create mode 100644 filebeat/docs/images/false-after-multi.png create mode 100644 filebeat/docs/images/false-before-multi.png create mode 100644 filebeat/docs/images/true-after-multi.png create mode 100644 filebeat/docs/images/true-before-multi.png diff --git a/filebeat/docs/images/false-after-multi.png b/filebeat/docs/images/false-after-multi.png new file mode 100644 index 0000000000000000000000000000000000000000..1918c531d2392a5ea78e4762f9c1d6a546c4826a GIT binary patch literal 3115 zcmZ`*2{_bS8)uAVW+>}eq8M8k#+I!i;$p;LY(rrNGl(%VV~a2}gj6I+cHy%mQCUj1 z>|@J~o5(F|MUjZ8zQ5|b_kQ2=eE;V;|8vfJe(&!+@B5zfoHyAHYrzMVfU>c%@nI~@ za6s<^v=|-`@OK}S{RVXGG@Qk8wwfWyH^2lEZ0Sm4V}l9pHFma~TrmLf%-<1D$J(6 zT@$6LsR|%eX^}y6VuWfCP4*|re|XGDH181qV7fmwNP3T#=tT{s8zK;UhW`3~?vw6M z{@YRz?U!4CgQ&d~l!lr*>Mw3U6}=}lFr`w0Lr63lz;AQ}{R8=5vcK*8#M}8%=~N&J zA^zT&AUY`oP^J_2c4wsdOZ)#L{+G)(#GeFs{X<*hm-atpzwl_(p5y-r#Lp=IkOE;g zf}&A>rOXIgJF7VjB>e-%%)~K*edUy^wIfDYYV#aSIYr=!pPi6NLX>od*pb3?zcrTbPa+Hkz>(6MvsWgMr!rqx+vtV%nW+Q@(=O&3Pd~(D+SSk53 zUHmZePQ`U>`In8`%?(2j?@!N1(!;{O-BLTp6Y*Bo!4VD?#)A#*2uig)Jp7i|$UplQ zlbwJwgCAli8bbLiH*|1^h6~2ic-GsDROW`E%*^SY{g05etmFM^I9~Yy^*I;XSxHnC z$fE67L;SU8r+YQ-dfE}5_gru|T&pL%34MIAbQ%vZ$q` zzOebX`ik>BGse_)Lq)}Srx%myUtCHR@Y}~M6wSB%zmeu{&hx>lfK7eS%;OfHKEeI__e*aq4BkvhN!i`q4gc_RduvP28R`ANe5|^- zxELa&AbBiicYffyb-B^GFX!vXGoVLk&DW;eiZW9!S6ODd{yF#Ge}A{WI6QI3vo-Wx zRzpL0R8*9=cL_Nu;T$^lM9N$&NyPd3@Ap3zkdY&8U$)j}Q$$p1JX$8FrX(dKCP#^P z8AQjNyNiOFV~IpJx5*~jBF@1{v{6WaRdBl;^6D?5K3!nFnIv($)3#6Ig7bah1!RmjKPDH)A(~LqkJ{vYtw>2(`sO zY2z_qu5{G6KP^-k)Q+_&XO z#T=57qTCB=G(R}0PEWH=oG)%epd~o7#@e7TSZB=Fp}eEueL-fG+NrDRB6utptmh42 z+NC{SOY5^@!Cd<#W!Q+*88|Co5?){&dEoS>vMfqiTPb6 z@oBy0*Si9S(hlfmWMp)7cKWii?VX*=`i@W7EHOQ?`a6Zl$I>bic?O|?bx)I~z~`E~ z7gJM(CcM6r;k%vUhL!%~4$QIYQ%!;w35#Or2z6*@$7aGOP*x1;N zAP);Wi|Ea4uDswjztWzQM;K(t=*r5@e%<*Dq-J@h^;q>Q?tPNAHC3%h4mfKyLQh?z z)4h?{nFyTGcZ-T95N3a0pNUJ+P*YRWaxG~VCwNES&U%?@e)(Vvp&i6yhsPh5;i??j zbluq4xX2gHq|Q8EdC`DcckNvp_k`Vy1C9ne%CTMfBK5%a48kA;3YE|a6r1gGmJ>s5 z)ITW897Q_Ejue{Im_SYUp8*-4e(`{koo}0~$Ic#j$}0W{w+D8Mb%XWCd?CMxNLLK5 zb-ukgB%`b~_Ipe~K!CM13-B#zpH#m=;4H2=WFAWM@@S?*F4ivKPqv^u9$mO;%y$qi zY<@{HnVOuc!z(XFZ-q`}dU$y7+-`fFTCv!hF6%eeUHW8PvidB`)wgBA`0GTqYXXD! z1ACYlURz^k07C)|#`nd3em||JC22tCS=>zE-tUzJ)1SiKlg^9cYOC{_UnN z6{N&#Z07}fC4%8Rk;r*@J?yk3+Dq!&VG5xG^Td~!NyM}h?%kNY9i@V&sRwG%y1Kie zl_zyc?h9KZ+9!ff-w&D=C$W~o9x4Ot$L|(hGwyFjY1dW>7Oukqp6dp=oqffTES6$>TLElxr&p5z!QMXmJm)Hw3)x=rELVEznj05#t-=ZA zEA+IlIx*g%>IleYMd~@}`^Te~Pg{Rr&tQl7jyhF2xA($M0M8rQCF^PT=8$K~X+3<9 zT_NL{Ll!Q9&4y#Z&ClO7DO7erc_4w*P*7x)uirOWv;K#);>Y_c+1d;t=H~iG%T!24 z7AsDK^k5&?a$Nd=jQPbidEpmNC5Em5K^zb&A4!wjqV(m)jl2vUUUBOS+}_h%Ve<0w6bglGVN$-UU2C2u!3-0yPh5@?<_}KK z&TjM@MdYzqSaXhmfh^UfRp4%{b@Q{{FAf(ZxwNQ6Wj!z2wvUm(3n^mJv<2P{H)R!- zbPtB*)Kx`Wgxpe3*!0JJlz48iC8CFE+4<+61h~?2R-<273NJjMG`tKmmRO|lvSqOh z$Z)j?9*P8kz_=Xp1|i$W<(%LJp9|5QHFIG*JKBRGQF>3LGTEyvI^>4)4Pi$mxZJI* z`d_w0HBoazZIL+Jg#)J*K0mjadWU^1Gf>HVCH0Vs7j`Ue?n<#Y40>+J|RIK z-efFDgO$SbjM}##^i=?3py?ZV( zWv=w4fLrhcUd8Tx!Z z7UUs8xzB4BD}Qw48%D*6eo1D(@Qm`RgQ-qgSK@sHMu;P3?5<3eCp+q{^NlLheJBzR zc17HEy2><`OPV`iHUFLPRI3MDZyA7=bf!Bm9==g$QYscLKh$L zS}+;Y5;%xa)bedd0+odICzsu~HrF-->>=6m6E*HI(bR>2k;bQ=Ht%_IogX?Maw+G9 zu+IXL;rf&kJi5$78G4PS8QysbT&5X*(QJ9~bgP}OT+S$DAIr6cUtyfY34b-JQVWz) zV4hnu6sfHjCm?*E6mSFTpX|Nudt|w-;JH8nnpv2Uq=RNwOd*Y&^Gb>8Qk=iK*mp8Gl1Iqw^1bjNJ5h|V(xoc<>E0RX@u{(}YtWaS)V0N&!Pkwm10xjF{# zD~EQ&yJF>neEk_{06;THozeBh648(#Umw2!^&l{b@P;C$d0?{P6xvL`#&;Oz`Mp{r$BGF$R4kwXFawH`=Ji!C5pr)n3*GnrHg2oQbK_0}nBi@?Znc)I6UB=gUYrj1Il3Ttsyw$X~ z`f;OauP69Z-lPUeV=KooBP%P*Wf08;w8OZ?mk9z{1@(9YkRTWn6APlq{--7NNxBQ} z@8IW$y(pNT^PfNLQt!tCgc57MCV!NENYv4xm-*HRAfA~hqWGCu_R)`5gU-w!%J3>B@D5DFG1daCB%So2{;HctQeoV_|s1#m6Wf9CJ8H z289i@xPkt2R^!wy&71FWlcsB0-8myssH1k)DJIi~{-oB8T8V_=25jn^3SlL8)cN`O`5pR)mhJ5z@u{h)$Eo&rm2#F%kPEt<(!_aug?#p zoYXo4hi|QxO|tFWX!yoE9)qb8e?ZT_0}92pM7J8KT6e32=domU((;wSz(-Ch5)!PR=yba6BZr^p(F(_UKknnoo#W&C zJ-HgRdbd}6XY5k@sh&fnmrLRk5+c%W-|nc!QfIp|F^CVPZN)fS9PTuRzBp1d{KTc+ zd$?z8Ec`^y*9ut88xBW>?5uv9xrS zd7trv;4*QkUFT{CVZOg;Zf=fDCM#gt-8?)3t}`}8)qAMoU_X4vu5Hslu=AXpsqf@G z7TtKqr4rmf)iOB==5obg%FD`h)q*#Du28n6LgUAsa-7M+TGG3&GrSjDwkZ^#*~|QV zF#l?696#h-*f&i%^pzIixxUa3)fU-j<)I&zODyv#6v}S{g$C@kB8$xlLhw~p5mUM= z)!M-QtB9hT2?D|QPBnYQvaib8)>cwnd}elb;$;}PK|oN@Z?fqGmfF?TdU>GOf=Z>z zNJ}3(=MPcDPd0U1J;=k7327^q@2k3UHH2jD-Q3&ERm6g~-_nwJQ_x#dWeS@K_V~u-vo>p*yy`P^S#6YsV zEb$&O{SB-g(Eif>Y$`}yu+{=U@dC}-V#O9mqoH!@{l=g9jjP+)4Y%CpdEiG`0Ax0} zr4821V64w3>BF6E)B|R@8URndhaZc*c}~LTWReC4OE16iDa=55lRRnuW>W<=2Aph3 z+p#DcPW2{KGgIR1mx;y%UN&`$+AWlp*PwK5CHrAf`o@OQ^Sr#gn%1zK zpoRmP>wHECJF8eoG>GFuouT~AUE;Y%y5oHWw0sqAK$1+HZs%63^g0D=$S0-lHn$9; zJ%)m9U+1s%@>QHE3@!XfA(uJxCog|l`_$XNW}KXoStiEpP+1mr6*v6YNyLl0y(&a{ zjQ)5RVPY6Lv!&m4k%AAj7c>$wSN=_VQ7`x?kecG zPG15bePTQbqFhJw3+(5t3hb?PtvT8F&$Ujgv*u zx299TIu1}9>neMZfIOveAgJPn)u!XcBO&7zqchne%{DPWiTz}uFA{r zPJ{B3FVtq@l)t7a+%>`u`i_3zLmXWlma*^*b%#FMp-6V8<(oV(@>r0taA->3A?T|- z1kt{H$og7-O}g$ZFa?Ti75hmn9|p*sAzUbe*hL#Q?S<(4;X3= zv@ff4af)r?|D$s93-TQLLUA`=a1HX9p+k0Cxcr>tD@v%^HQbI%j=~)qS~sOoFEV-` zx|*@?8fgLMleo;?HUX;(vWLksr<1eWT;~S)joDxks%DM#j*AF3Se0r*8=(5Aaj~jE zP|drh(Hl77ZoZ%zBoD+f&NJ&HQq^>fpdoI-Os$J$!V5Yo$`oPC3h&NHy}D0^l8eX) z6z>tpZ~e+ zW~E=*Yu6rzKWPkV8632Z>Jvkhi@`sRUg zil`c29_-z5ZjG4YqM|rRRhT6k%-H?{YsgZY2-ES-9_C9SAtAKy7%+FP#?L%y2YCi} z00DyJ_*TZvT!Zc49VuY&Ss!GEoD;2BuH9%)F6-vR z=-4%27H&dh^UGuyoz}dVA$kpLXG|AsSPUG@&AZx@M0O&zBT8_lIO^8k=2Es= zfMisgIB%1(Dt^L{gUYB6qYs_oEm%K-$x z^1}Q;37KQF-KN|Yot~oAS6y9wL@b805!Y67GzTE4#EFh+`z{2E48y%Qzi0tSus@-2 zvtx=+i3_c92I;dT?3Js&SntuBN9HhDntTaH_ak8uxqnnta5JsX$7@GEki3%_Y6xT5)1%d5JcKiFl2#4-ftIr$ElA}VprGh0! kyg(4#H|jGXg2!qX%+g=H%q#A;aPY@(YIM=?u|6vDKU9#b?EnA( literal 0 HcmV?d00001 diff --git a/filebeat/docs/images/true-after-multi.png b/filebeat/docs/images/true-after-multi.png new file mode 100644 index 0000000000000000000000000000000000000000..a77af69d974ab2eef78eae4af7d9194518f48da7 GIT binary patch literal 3535 zcmZ`+2Uru^wkDJV1dt*nbVvZ{kN{Fe2%sX>P(lEu83`rS&_s}+R8dr#H0cK^(z}8n z?S!VHlz^ag1tYzPls9;M=ic}3cjx=|%-U=I_3zd8lsI$Ki!5M1FclRQi{T}G6mY!` zjBo~O;Cyuub_85N{-}#cs)`|jufT-S=Mu)Bii+v<$pBGhWI+JHh?}Ji!N$Z`!^Imf z?{wYU87m)*_W{sUR9e9rfQZKuoJ4~0o?iYM!RMgA5E_7dqE>*4{DKfX&OvQV%tiFP z{jee`^2+jxP;Ib?h=`Wo^&1)}{R_X%f!R4IjzI9yP*4a83X%^}lK1v=Re-Cjt1BoX z6c7kG03qie;ze)@mhjxMUoKC#cM*Oz^?}-1;W#;FG1)~0C4gYQZ@4DZ3ErpZ7|1A-JXZe>F zNV7IrOW~iAX@jfg5K};h4f8DO6o`iQ`o0?hrZs zFo&%EqE;z0BIo?=qs3b<^+eukB4VWf0MW}5h149?9U0l!9%^JPM2PF?=UwH5aqW$mAHCBNnD$>H!XO6mRi zja-E|0)sM~o$47^YgPHHk*5`Wpf2K-fbY3}s-F8T4Cf&b&wzMuE^W3(+FGYqYTR?;G zWrs3ZY2Um-nQY{ga-Phs>mVu}CmFiH_dMr|8b58LHMs%a9~%o+X#e@Ybcv#IT(vGs zMF>04%Kr9B{NP9#+Dg=8v>eqFSlCECT5vP;_1AcP)We5$bqoboUnq_6AEX_nyfy?es%<6Qj z1+&+uw!^iVPFYM%p>aB@Z@6s>QDy%#{fwE=Sfyc}Cl(?>XP*#8Xh*zut^m$+&gB9B zAtw{JfiSNWT(By$mJ8e8k}alZhD5yT0IDFV>D(9p$dQ92b5B z-!ja_06EsJHJ8-7&CbsLzSykz+-O|1_1p{TN8h9wm6@WztgQ4g7ZZh^+clcvW5W*i z;BAi#Us4#`^G}EFeB)L3n{W1ClB{*=NWph?O*ZeP8Y?pM-W<$Op(&|$>78x~@Bn0n z(-28q$Hkc`igdPiSPMXB5YI`V3^X2|uB{_qEdZ{kZvxO)w{O>%+##Wn2Q=upis9~iJSD5+)pI~%99nN$m7v7M)O}}Z$HIQ@ zP^Me?V_5~%B51q@p1>_j%M9Fz*03e^#S)9+(lEign?OS?iz-E}1;c3DJVpx*lQ?19 z;2!(%!~Npu*+p$2dq4uf+_DU8deO{8zpXFtk~7cZOTQ!O$!!+ccUE&SrM1o&R@a|Q zjlu=2m=}Q*_jPtm%V1O4U9q{I`*tk^sf?)EV#B29h7k{XoaD-2@`n-&JfNm->fEYVT!*rV*(hPQEHz)~3d;?ya@UlRGv=KeJ=xjH{Y_r6qDCW zbmTrq4)&wf{@M)99izz&8=oo(y)j5c^>XV$>3a2hMawXy@6zzNE1M9PW8S=53FqUa zDay zHTx}ieQfF&jb`1&G-laD= zpfX^WU!ZN%H&AHX);%W7)KeN==p5fsNJ(e>u@&u9U6?*7cTnzGCq5plJ;=8I-jA_r zY5bwpAKVJM))b{11MQYG0bNRND?>(6X~ZI1df4mcqO606X|T<;K+P~8$6ywJgl?NM z<6mP&>#`5UbKgomrmGv^uMPXGD%|m*!+YPe8HN~qO5B!-hY%8QwY2 znog`b*obvJ=E_`<&*)yANg~VA#iXeZOHv@m(#bgT7GMq_uqhQ8Z#@^~ zdtUDnnXHxjA%nBMkgpXaWuw*en(D)Rx|QG_9CzjSI=M$FPPoaTed#8eR4QG1S)d1~ zsZlw~_aKB>{g>+*U@^p__zjjabmarf&80W0_45|lW{y9)$kD2rj*LPX%(D5&KaJCo zh3x9Xt)aUOS*0RuZ=*hB$LuWhr{O2+M9Ee9aU2z-=w)ka8;zjvSxT;^sJe*;yit6j zQPOMZ;TXm&dG6?$mW-MRZy<5%R^NPZS6JHq$Zomf_+f_kC8Q4NvA9*Sm3i`Gci{D~ zCaw`bU>q)f6w}TP7HI9&=;9};-0!)Vi}8$nRPe_uA`Lyq<;zbB`+^Ivh&Q);RAaMXuo73(!3 zR7Np|ZNckEEXlrwKr%YJj*O16rWReI?-8QP$xl;#AL8!!#yHz4A3C!@pGEZ_%GTcUBv_A&o%vT*Q z#=MBJ3&kH#ajCIWO>6N!wdzUW9f7@uHWdUtPfTlc>W=3svn4whqUh@-i-Y zi!n^)Ca!}TtGmK@L4Sdsg>Qa;LiEdnk9vy^Hq0B((nUGuN@h~Qp5mV#g8o`b4=IVo zL@x3}89^NbM<3~$ph_0Fp>Q@*d2CppYL~loryH?)wXtdQZA%$iV9wwMS#hhitih`T zWVE&?P$f`B%fN6+aL})v1NdMLP?izxcwJ;wYAN-noQnI0&k@ofnV(60%J;tEMo-J` zr%RqT>TGshKCd(`Oka6Zgo??mU?X`ptLqF&;}NV)?f8w1cDSw>)e7+NmCa)m?`Dj# zFbR?Hm0zJLJ)nNrq#^2aBvlE^6c^x`pAfr-x2~#CIkM%BD0)EXy4Z4^#DP|`51X#o zHq@Y?Lj-*<)imGbKRWoanFSeWFaX|1SK-48V%ajj!2}B%GM035spgY7nVYApw!L`CBBOrQ6Ub_nhuQqX_7gv>%{j6__A#h>@%J4 zW*!yLo-;u4TST#}9_>=*t~Md>v*Y7KAb#!hPHK={R<|Zf9zInbP0g zGTcvt41xnc^fL)k6+yC&7?^z5;`!y*Kt;zOpYhPVOsT{6lfNuO15^D9q+{g&0DF0W A>Hq)$ literal 0 HcmV?d00001 diff --git a/filebeat/docs/images/true-before-multi.png b/filebeat/docs/images/true-before-multi.png new file mode 100644 index 0000000000000000000000000000000000000000..dc6bfcafbe9f600f7702e605ead469b076e816ef GIT binary patch literal 3636 zcmZ`+2UHW=)+QiQ3<#l$fbJ$p~IrMV#+s{kt<9UYso5y~2v z-GOnJnI5=b?h`)%CJ@ouP>-(kt>716!{Te?NTj1X!F4o1bZHs<0N|aMtpmxy46Wvd z_l9HL@va{50B>IaO-H8@pav|xJxExQ0PpKQM701-v7ZPvV0}bJh>84!kgjQpIha|B zAn^nb5hb`HTvkkrRYXKYgW&F|W{ooV%?|7|#c(8&uNnez^X5(XO$9ifa0MZ!s;Y{R zl}E_Sp92u*h_`%5*no3BMDbrj{!b3dgXl)^@+EoUeMFArVqNk6Buz1~BSrsQzw9J= zdH!3I5ApZ0fCD0qo*?AlvWS0V1FRZHR5c{t+n3-$Bm(lalr(-K{~zt&dVb+8ad;9Q z@B+ch&De+JK>(OZ*dyz-LL7JINK=D$=t%uxk3Y5L&E7a-^4W$qdQ#ApJp!#Qm)ZTB`lb zomlGz-s}2QJ+6I6MQ`T4;*piFYDOIs`?EZnS5%EUViI$>HNkycgYfKJp*E4Y+kaio z&3re2fvC@g@TeOUgfk?Eirr`fL2r=JEKD#4{nc;=yH);FNbsau%18*uV=Ha*=7ag_ z7uH`A3ec|2cVm#0>Dv!pRBRPFQOpmZL0`WA`N30i0d;w+>CWDbk>^(LUR*FukTM%D z_t@K5*; zgP&;%+FBbavhiAe<<_a8q@q6`*Ay|F5}ZFIxnVm5|H9g*mpfYQh@=W@23FqqYl3?J zBrB{)hi&a-AD!s0a7OQ%6C*J%zEmJ$*@Z2Z6>iT$j>E+i$?y!7^@`u8jF?F5? zKX%SDwc4-qq(xY9?}2$9@ypHc{QWuQ%=?^Dhgb7&Gu4|2u``6JdVgxzNTEfx&Z`T! z(FdoMTbMW9-jIy}qf+HPN?n@Y`e?ymFv}qcS|B%OsyR6OO`b^-YeG>aE7FV}?~LiN z0aJTZ6{x4x1|_>wyD!<twK%lU<&?o^syMnH(cXHG3EK{~%+Udz+Hfp)&+QM`nxo!_^({yl$D~w))bW|Y z10(YA=MQznB&fY}9bvJ=sRmW(+z?`5(o-()m?xmEyAziNSTORWo#TqOF6FWK?wkw~?IoNb3h}`32dY~|PrZ0XX z1yn0{>il(nlW@91^GvZu-?_GdS!oZz^06`DrT z&A-x{BIiA!82HGM4yq8nPRrqI4BVKgx@M0;9dpts5KZash=-|@O*rqRLL)UUk z_Q8K?0CZ89*N_*4^NCnAsdaees;%IEI7tU9=n_!6IsmI?DQ9kA(aB zh173Q@-a7N>iwYtoe*~n#?I9bGdW1XA|au#^&(iM?DgN%!6q0ClFnXGyY+3MJ(_D} ztZe3~{t3t|sJKD+pA*$N#IO)0!c*=oWUXR5{Ty*bh^@rs3 zL>z61y!E~P(X=-KEK$rGY*XZkS0s-pxi zrD~ZZo$b(U3QO;cUA{pZdJkk<1gY=KH3EOsxFO43HWn3JGDtk|G zORe(UarHRVvunBf?gh^u){%2SRCGfsDqRf3_Cj!sFrs3T4HOyg*sEn$4KL!M^bUUS zPJ*_L3+|SjaJ{cw5>iF{Y%UjneWoe%ylW_}+`f{5xv3lHp|tQO?wJg)irjIqfMVCV zn*PUDu|5Z#?wKcR?!Y2>D6;4LPIZPwsR~kyRyb#L7}iCdTPm`wpX+#q)NUSYlD>ezztEn)1IkzIr* z=cpp_6I!6Z1W}q-YaCN{a@mu^Pf}v_Nterxy}~uZ*d_HLR*G*z;>y?Q#-L|5wZ_%n zlcNuTid8`m`(c5h>U-wuMTF02U$%qwU}O1sFn>x)c1QH5RI&y0I4R0o>YZ(A^F}vx zZLW?p1i?6%*aevr1*@MMf_O{sqRNI|tWCZCm=-!_V##PU?91qon5A_`jlKB8B1d9d z1b|=wXYlk{X^|L40h#xPjMV#IBR_06ECvdd}jWxP(ZKTjxU~BbaEU zvF%Bl{KtP-ir#0XL>&)>PCpJfSZ6s$uf1eI?kRI_ly~jm^!wC%>gpTSiz)L|WK;-k z_hA3^?Sq6AVKHmkaVg(KX9*bWWN)V0f{-Jm`GjE%V@SM&xOp_M1pm4*0oq71r z(&*59kE}Lv^b1Czk1xC)en+1ubzx}v;OQ<}UkzcdSXiTMcODiTokLC5hk48QY(VMOnPF$$B&pkRqL1TqpF zus3HCQwuEC4`Tk@xS}K>U;{T?5}n0t`dw!G+?#q&0yR2MG!GG~JocJ8Q5@O8p6JSZ zB>|iFEkbr%;%Vg$=SuqfDNds`yHk&f2Z~KzHAyo50L2P0w>)|8S3m;_AyvTAeMM&t zsJcsf)^QK?L)zMGTjm*%?^{Dt=xbk5a3-aXg4wj}=Gju^XP+qJos)FO4+D^CF?gxi z=s!N=2zAnNW$KnHZ`@QD2HH=bl?tGy3+0e?6Cn8Tn=|OIb>V`$GKH>TTM5H>T0PLF za0&fxQEmrSlS+ZJ)OI% zyk9IQLtVITVgZ?wMc?fm7NUoq%E)JxzS(y7aGB|=r*XF`wmCSICpb z)K7zYK&GJ~PnTw@**~4PveK31c_18#ee3W&w?|h-pin!uz@PSwoo_p2C>Ye6=qO}& Slbhq{SI$`99961^3HujQ;ggR5 literal 0 HcmV?d00001 diff --git a/filebeat/docs/reference/configuration/filebeat-options.asciidoc b/filebeat/docs/reference/configuration/filebeat-options.asciidoc index 1ec4687086fd..759c4e92b8de 100644 --- a/filebeat/docs/reference/configuration/filebeat-options.asciidoc +++ b/filebeat/docs/reference/configuration/filebeat-options.asciidoc @@ -388,11 +388,11 @@ somewhat from the patterns supported by Logstash. See <> for a l + [options="header"] |======================= -|Setting for `negate` | Setting for `match` | Result -|`false` | `after` | Consecutive lines that match the pattern are appended to the previous line that doesn't match. -|`false` | `before` | Consecutive lines that match the pattern are prepended to the next line that doesn't match. -|`true` | `after` | Consecutive lines that don't match the pattern are appended to the previous line that does match. -|`true` | `before` | Consecutive lines that don't match the pattern are prepended to the next line that does match. +|Setting for `negate` | Setting for `match` | Result | Example `pattern: ^b` +|`false` | `after` | Consecutive lines that match the pattern are appended to the previous line that doesn't match. | image:./images/false-after-multi.png[Lines a b b c b b become "abb" and "cbb"] +|`false` | `before` | Consecutive lines that match the pattern are prepended to the next line that doesn't match. | image:./images/false-before-multi.png[Lines b b a b b c become "bba" and "bbc"] +|`true` | `after` | Consecutive lines that don't match the pattern are appended to the previous line that does match. | image:./images/true-after-multi.png[Lines b a c b d e become "bac" and "bde"] +|`true` | `before` | Consecutive lines that don't match the pattern are prepended to the next line that does match. | image:./images/true-before-multi.png[Lines a c b d e b become "acb" and "deb"] |======================= + NOTE: The `after` setting is equivalent to `previous` in https://www.elastic.co/guide/en/logstash/current/plugins-codecs-multiline.html[Logstash], and `before` is equivalent to `next`.