Elastic Beats
Elastic Beats is an open source platform for single-purpose data shippers. It is a solution for sending data from hundreds or thousands of machines and systems to Logstash or Elasticsearch.
- Elastic Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them to Elasticsearch or Logstash for indexing.
- Elastic Metricbeat is a monitoring tool.
- Elastic Winlogbeat ships Windows event logs to Elasticsearch or Logstash.
Software pattern summary
The following table gives an overview of the pattern characteristics:
Product component | OS type | Versioning | Pattern depth |
|---|---|---|---|
| ElasticAuditbeat | UNIX, Windows | Active, Package | Instance-based |
| Filebeat Agent | UNIX | Active, Package, Path | Instance-based |
| Filebeat Agent | Windows | Active, Path | Instance-based |
| ElasticHeartbeat | UNIX, Windows | Active | Instance-based |
| ElasticPacketbeat | UNIX, Windows | Active, Package, Path | Instance-based |
Platforms supported by the pattern
The pattern discovers Elastic Beats deployments on the UNIX and Windows systems.
Identification
To run a discovery of the product, the pattern must be triggered. This section describes conditions under which the pattern can be triggered.
Software instance triggers
The following table gives details about the pattern trigger:
Pattern | Trigger node | Attribute | Condition | Argument |
|---|---|---|---|---|
| ElasticAuditbeat | DiscoveredProcess | cmd | matches | regex '\bauditbeat$' |
| or | ||||
| cmd | matches | regex '(?i)\bauditbeat\.exe$' | ||
| Filebeat Agent | DiscoveredProcess | cmd | matches | regex '\bfilebeat(?:-god)?$' |
| or | ||||
| cmd | matches | regex '(?i)\bfilebeat\.exe$' | ||
| ElasticHeartbeat | DiscoveredProcess | cmd | matches | regex '\bhearbeat$' |
| or | ||||
| cmd | matches | regex '(?i)\bhearbeat\.exe$' | ||
| Elastic Metricbeat | DiscoveredProcess | cmd | matches | regex '(?i)\bmetricbeat(?:\d+)?\.exe$' |
| ElasticPacketbeat | DiscoveredProcess | cmd | matches | regex '\bpacketbeat$' |
| or | ||||
| cmd | matches | regex '(?i)\bpacketbeat\.exe$' | ||
| ElasticWinlogbeat | DiscoveredProcess | cmd | matches | regex '(?i)\bwinlogbeat(?:\d+)?\.exe$' |
Software Instance type attributes
The pattern in this module sets the following attribute:
Pattern name | SI type |
|---|---|
| ElasticAuditbeat | Elastic Auditbeat |
| ElasticFilebeat | Elastic Filebeat |
| ElasticHeartbeat | Elastic Heartbeat |
| ElasticMetricbeat | Elastic Metricbeat |
| ElasticPacketbeat | Elastic Packetbeat |
| ElasticWinlogbeat | Elastic Winlogbeat |
SoftwareInstance attributes
The Winlogbeat pattern creates a SoftwareInstance with a set of attributes.
Default attributes
The Winlogbeat pattern creates the following default attributes:
- name
- short_name
- version
- product_version
Optional attribute
The Winlogbeat pattern obtains the install root from the path to the trigger process:
- install_root
Additional attribute
The Winlogbeat pattern obtains the data path from the path.data option of the trigger process.
- data_path
Simple identification mappings
The following components/processes are identified by using the simple identity mappings that map the product's known processes:
Name | Command |
|---|---|
| Elastic Auditbeat | regex '\bauditbeat$' |
| Elastic Auditbeat | regex '(?i)\bauditbeat\.exe$' |
| Elastic Filebeat | regex '\bfilebeat$' |
| Elastic Filebeat Go daemon | regex '\bfilebeat-god$' |
| Elastic Filebeat | regex '(?i)\bfilebeat\.exe$' |
| Elastic Heartbeat | regex '\bheartbeat$' |
| Elastic Heartbeat | regex '(?i)\bheartbeat\.exe$' |
| Elastic Metricbeat | regex '\bmetricbeat$' |
| Elastic Metricbeat | regex '(?i)\bmetricbeat\.exe$' |
| Elastic Packetbeat | regex '\bpacketbeat$' |
| Elastic Packetbeat | regex '(?i)\bpacketbeat\.exe$' |
| Elastic Winlogbeat | regex '(?i)\bwinlogbeat(?:\d+)?\.exe$' |
Versioning
Version information for the product is collected by using one of the following methods: active versioning, package versioning, and path versioning.
The methods are tried in the order of precedence based on the likely success and accuracy of the information that can be gathered. After a result is obtained, the methods that are lower in precedence are not attempted.
In order of precedence, the methods are used as follows:
Instance
The ElasticHeartbeat pattern gets the instance name from the configuration file.
Installation root
The ElasticHeartbeat pattern gets the installation root from the trigger process by parsing against one of the following regular expressions:
- (?i)^(.+)[\\/]heartbeat(?:\.exe)?$
- \-\-path\.home\s['\"]?([\w\:\s\\/]+)['\"]?
Active versioning
The ElasticAuditbeat, ElasticHeartbeat and ElasticPacketbeat patterns attempt to extract the version from the output of the following command:
by parsing against the following regular expression:
The Filebeat Agent pattern runs <process_cmd> version. Then, the pattern extracts a version from its results by parsing against one of the following regular expressions:
The Winlogbeat pattern runs the following command:
Then, the Winlogbeat pattern extracts the full version from the results by using the following regular expression:
The Metricbeat pattern runs the following command:
Then, the Metricbeat pattern obtains the install root and the path to the .yml file from the trigger process. If the pattern cannot obtain the path to the yml_filename, it runs the following command:
Package Versioning
The ElasticAuditbeat and ElasticPacketbeat patterns attempt to extract the version from a package by matching on the following regular expression:
| Pattern | Regular Expression |
| ElasticAuditbeat | regex "^auditbeat$" |
| ElasticFilebeat | regex "^filebeat$" |
| ElasticMetricbeat | regex "metricbeat" |
| ElasticPacketbeat | regex "^packetbeat$" |
Path Versioning
The Filebeat Agent pattern supports path versioning.
The path regex functionality allows a regular expression to be applied against the process command line to derive a version number from the command path or arguments.
Versioning is performed by reading information within the command-line path by using the following regular expression:
The ElasticPacketbeat pattern attempts to extract the version from the trigger process path by matching against the following regular expression:
- regex "Elastic\\Beats\\(\d+(?:\.\d+)*)\\packetbeat"
If all previous attempts have failed, the Metricbeat pattern tries to get a version from process cmd by using the following regex:
If active versioning fails, the Winlogbeat pattern attempts to extract the version from the trigger process leafname by using the following regular expression:
If the regex returns version 32 or 64, these are discarded as relating to the processor architecture.
Application model
If the pattern discovers a SoftwareInstance of Elastic Beats, it defines the software instance's architecture in the form of the application model.
Pattern trigger
The ElasticAuditbeat pattern is triggered by a auditbeat or auditbeat.exe process.
The ElasticHeartbeat pattern is triggered by a heartbeat or heartbeat.exe process.
The ElasticPacketbeat pattern is triggered by a packetbeat or packetbeat.exe process.
SI depth
The ElasticAuditbeat pattern creates an instance-based software instance with the key based on the config file (if available), type, and host key.
The Filebeat Agent pattern creates an instance-based SoftwareInstance with a key based on the type and the host key.
The ElasticHeartbeat pattern creates an instance-based software instance with the key based on the instance name (if available), config file (if available), type, and host key.
The Metricbeat pattern creates an instance-based SoftwareInstance with the key based on the yml_filename, type, and host key. The type is Elastic Metricbeat.
The ElasticPacketbeat pattern creates an instance-based software instance with the key based on the type and host key.
The ElasticWinlogbeat pattern creates an instance-based SoftwareInstance with the key based on the data path, type, and host key. Elastic Winlogbeat is the type.
Relationship creation
The Filebeat Agent pattern attempts to create a dependency link with Elasticsearch, Kafka, and Logstash.
The ElasticHeartbeat pattern attempts to create a dependency relationship between Elastic Heartbeat and Elastic Kibana.
The ElasticHeartbeat pattern attempts to create a dependency relationship between Elastic Heartbeat and Elasticsearch.
The metricbeat pattern obtains details of the linked SI from the metricbeat.yml file. The links that the pattern creates are the following:
SI type | metricbeat.yml file parsing |
|---|---|
Search for setup.kibana: host: "<hostname>:<port>" | |
Search for output.elasticsearch: hosts: ["https://<hostname>:<port>"] |
The pattern creates a client-server link. The Metricbeat Software Instance is the client.
Subject matter expertise
Inputs from subject matter experts are welcome on any other potential approaches not discussed in this topic.
Testing
The pattern has been tested against the available customer data.
Open issues
There are no known open issues with this pattern.