Elastic Beats
Elastic Beats is an open source platform for single-purpose data shippers. It is a solution for sending data from hundreds or thousands of machines and systems to Logstash or Elasticsearch.
Software pattern summary
The following table gives an overview of the pattern characteristics:
Product component | OS type | Versioning | Pattern depth |
|---|---|---|---|
| ElasticAuditbeat | UNIX, Windows | Active, Package | Instance-based |
| ElasticHeartbeat | UNIX, Windows | Active | Instance-based |
| ElasticPacketbeat | UNIX, Windows | Active, Package, Path | Instance-based |
Platforms supported by the pattern
The pattern discovers Elastic Beats deployments on the UNIX and Windows systems.
Identification
To run a discovery of the product, the pattern must be triggered. This section describes conditions under which the pattern can be triggered.
Software instance triggers
The following table gives details about the pattern trigger:
Pattern | Trigger node | Attribute | Condition | Argument |
|---|---|---|---|---|
| ElasticAuditbeat | DiscoveredProcess | cmd | matches | regex '\bauditbeat$' |
| or | ||||
| cmd | matches | regex '(?i)\bauditbeat\.exe$' | ||
| ElasticHeartbeat | DiscoveredProcess | cmd | matches | regex '\bhearbeat$' |
| or | ||||
| cmd | matches | regex '(?i)\bhearbeat\.exe$' | ||
| ElasticPacketbeat | DiscoveredProcess | cmd | matches | regex '\bpacketbeat$' |
| or | ||||
| cmd | matches | regex '(?i)\bpacketbeat\.exe$' | ||
Software Instance type attributes
The pattern in this module sets the following attribute:
Pattern name | SI type |
|---|---|
| ElasticAuditbeat | Elastic Auditbeat |
| ElasticHeartbeat | Elastic Heartbeat |
| ElasticPacketbeat | Elastic Packetbeat |
Simple identification mappings
The following components/processes are identified by using the simple identity mappings that map the product's known processes:
Name | Command |
|---|---|
| Elastic Auditbeat | regex '\bauditbeat$' |
| Elastic Auditbeat | regex '(?i)\bauditbeat\.exe$' |
| Elastic Heartbeat | regex '\bheartbeat$' |
| Elastic Heartbeat | regex '(?i)\bheartbeat\.exe$' |
| Elastic Packetbeat | regex '\bpacketbeat$' |
| Elastic Packetbeat | regex '(?i)\bpacketbeat\.exe$' |
Versioning
Version information for the product is collected by using the active, package and path versioning methods.
Instance
The ElasticHeartbeat pattern gets the instance name from the configuration file.
Installation root
The ElasticHeartbeat pattern gets the installation root from the trigger process by parsing against one of the following regular expressions:
- (?i)^(.+)[\\/]heartbeat(?:\.exe)?$
- \-\-path\.home\s['\"]?([\w\:\s\\/]+)['\"]?
Active versioning
The ElasticAuditbeat, ElasticHeartbeat and ElasticPacketbeat patterns attempt to extract the version from the output of the following command:
by parsing against the following regular expression:
Package Versioning
The ElasticAuditbeat and ElasticPacketbeat patterns attempt to extract the version from a package by matching on the following regular expression:
| Pattern | Regular Expression |
| ElasticAuditbeat | regex "^auditbeat$" |
| ElasticPacketbeat | regex "^packetbeat$" |
Path Versioning
The ElasticPacketbeat pattern attempts to extract the version from the trigger process path by matching against the following regular expression:
- regex "Elastic\\Beats\\(\d+(?:\.\d+)*)\\packetbeat"
Application model
If the pattern discovers a SoftwareInstance of Elastic Beats, it defines the software instance's architecture in the form of the application model.
Pattern trigger
The ElasticAuditbeat pattern is triggered by a auditbeat or auditbeat.exe process.
The ElasticHeartbeat pattern is triggered by a heartbeat or heartbeat.exe process.
The ElasticPacketbeat pattern is triggered by a packetbeat or packetbeat.exe process.
SI depth
The ElasticAuditbeat pattern creates an instance-based software instance with the key based on the config file (if available), type, and host key.
The ElasticHeartbeat pattern creates an instance-based software instance with the key based on the instance name (if available), config file (if available), type, and host key.
The ElasticPacketbeat pattern creates an instance-based software instance with the key based on the type and host key.
Relationship creation
The ElasticHeartbeat pattern attempts to create a dependency relationship between Elastic Heartbeat and Elastic Kibana.
The ElasticHeartbeat pattern attempts to create a dependency relationship between Elastic Heartbeat and Elasticsearch.
Subject matter expertise
Inputs from subject matter experts are welcome on any other potential approaches not discussed in this topic.
Testing
The pattern has been tested against the available customer data.
Open issues
There are no known open issues with this pattern.