diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index bd8e65070e0..bacd4f7ac46 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -162,6 +162,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in aws module. {issue}16154[16154] {pull}16307[16307] - Improve ECS categorization field mappings in googlecloud module. {issue}16030[16030] {pull}16500[16500] - Improve ECS field mappings in haproxy module. {issue}16162[16162] {pull}16529[16529] +- Add cloudwatch fileset and ec2 fileset in aws module. {issue}13716[13716] {pull}16579[16579] - Improve ECS categorization field mappings in kibana module. {issue}16168[16168] {pull}16652[16652] - Improve the decode_cef processor by reducing the number of memory allocations. {pull}16587[16587] - Add `cloudfoundry` input to send events from Cloud Foundry. {pull}16586[16586] diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index e37b70dc0db..d8493968f5c 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -1309,6 +1309,29 @@ type: keyword -- Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. +type: keyword + +-- + +[float] +=== cloudwatch + +Fields for AWS CloudWatch logs. + + +[float] +=== ec2 + +Fields for AWS EC2 logs in CloudWatch. + + + +*`aws.ec2.ip_address`*:: ++ +-- +The internet address of the requester. + + type: keyword -- diff --git a/filebeat/docs/modules/aws.asciidoc b/filebeat/docs/modules/aws.asciidoc index 8e0abbc83bb..e266726bdd4 100644 --- a/filebeat/docs/modules/aws.asciidoc +++ b/filebeat/docs/modules/aws.asciidoc @@ -33,7 +33,7 @@ Example config: [source,yaml] ---- - module: aws - s3access: + cloudtrail: enabled: false #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue #var.shared_credential_file: /etc/filebeat/aws_credentials @@ -42,50 +42,51 @@ Example config: #var.api_timeout: 120s #var.endpoint: amazonaws.com - elb: + cloudwatch: enabled: false - - # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - # var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - # var.credential_profile_name: fb-aws - - vpcflow: + ec2: enabled: false - - # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - # var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - # var.credential_profile_name: fb-aws - - cloudtrail: + elb: enabled: false + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # AWS SQS queue url + s3access: + enabled: false #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - # var.shared_credential_file: /etc/filebeat/aws_credentials + vpcflow: + enabled: false + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Profile name for aws credential - # If not set the default profile is used - # var.credential_profile_name: fb-aws ---- *`var.queue_url`*:: @@ -122,6 +123,22 @@ The `cloudtrail` fileset does not read the CloudTrail Digest files that are delivered to the S3 bucket when Log File Integrity is turned on, it only reads the CloudTrail logs. +[float] +=== cloudwatch fileset + +Users can use Amazon CloudWatch Logs to monitor, store, and access log files +from different sources. Export logs from log groups to an Amazon S3 bucket which +has SQS notification setup already. This fileset will parse these logs into +`timestamp` and `message` field. + +[float] +=== ec2 fileset + +This fileset is specifically for EC2 logs stored in AWS CloudWatch. Export logs +from log groups to Amazon S3 bucket which has SQS notification setup already. +With this fileset, EC2 logs will be parsed into fields like `ip` +and `program_name`. For logs from other services, please use `cloudwatch` fileset. + [float] === elb fileset diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index 782ed798853..188c7485f94 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -96,7 +96,33 @@ filebeat.modules: #--------------------------------- AWS Module --------------------------------- - module: aws - s3access: + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + cloudwatch: enabled: false # AWS SQS queue url @@ -148,7 +174,7 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com - vpcflow: + s3access: enabled: false # AWS SQS queue url @@ -174,7 +200,7 @@ filebeat.modules: # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com - cloudtrail: + vpcflow: enabled: false # AWS SQS queue url diff --git a/x-pack/filebeat/module/aws/_meta/config.yml b/x-pack/filebeat/module/aws/_meta/config.yml index ee54cc54558..7a338340d04 100644 --- a/x-pack/filebeat/module/aws/_meta/config.yml +++ b/x-pack/filebeat/module/aws/_meta/config.yml @@ -1,5 +1,31 @@ - module: aws - s3access: + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + cloudwatch: enabled: false # AWS SQS queue url @@ -51,7 +77,7 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com - vpcflow: + s3access: enabled: false # AWS SQS queue url @@ -77,7 +103,7 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com - cloudtrail: + vpcflow: enabled: false # AWS SQS queue url diff --git a/x-pack/filebeat/module/aws/_meta/docs.asciidoc b/x-pack/filebeat/module/aws/_meta/docs.asciidoc index e8fa73a923b..983d8174d85 100644 --- a/x-pack/filebeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/aws/_meta/docs.asciidoc @@ -28,7 +28,7 @@ Example config: [source,yaml] ---- - module: aws - s3access: + cloudtrail: enabled: false #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue #var.shared_credential_file: /etc/filebeat/aws_credentials @@ -37,50 +37,51 @@ Example config: #var.api_timeout: 120s #var.endpoint: amazonaws.com - elb: + cloudwatch: enabled: false - - # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - # var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - # var.credential_profile_name: fb-aws - - vpcflow: + ec2: enabled: false - - # AWS SQS queue url #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - # var.shared_credential_file: /etc/filebeat/aws_credentials - - # Profile name for aws credential - # If not set the default profile is used - # var.credential_profile_name: fb-aws - - cloudtrail: + elb: enabled: false + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # AWS SQS queue url + s3access: + enabled: false #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Filename of AWS credential file - # If not set "$HOME/.aws/credentials" is used on Linux/Mac - # "%UserProfile%\.aws\credentials" is used on Windows - # var.shared_credential_file: /etc/filebeat/aws_credentials + vpcflow: + enabled: false + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + #var.shared_credential_file: /etc/filebeat/aws_credentials + #var.credential_profile_name: fb-aws + #var.visibility_timeout: 300s + #var.api_timeout: 120s + #var.endpoint: amazonaws.com - # Profile name for aws credential - # If not set the default profile is used - # var.credential_profile_name: fb-aws ---- *`var.queue_url`*:: @@ -117,6 +118,22 @@ The `cloudtrail` fileset does not read the CloudTrail Digest files that are delivered to the S3 bucket when Log File Integrity is turned on, it only reads the CloudTrail logs. +[float] +=== cloudwatch fileset + +Users can use Amazon CloudWatch Logs to monitor, store, and access log files +from different sources. Export logs from log groups to an Amazon S3 bucket which +has SQS notification setup already. This fileset will parse these logs into +`timestamp` and `message` field. + +[float] +=== ec2 fileset + +This fileset is specifically for EC2 logs stored in AWS CloudWatch. Export logs +from log groups to Amazon S3 bucket which has SQS notification setup already. +With this fileset, EC2 logs will be parsed into fields like `ip` +and `program_name`. For logs from other services, please use `cloudwatch` fileset. + [float] === elb fileset diff --git a/x-pack/filebeat/module/aws/cloudwatch/_meta/fields.yml b/x-pack/filebeat/module/aws/cloudwatch/_meta/fields.yml new file mode 100644 index 00000000000..844c13309d6 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/_meta/fields.yml @@ -0,0 +1,7 @@ +- name: cloudwatch + type: group + release: beta + default_field: false + description: > + Fields for AWS CloudWatch logs. + fields: diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/cloudwatch.yml b/x-pack/filebeat/module/aws/cloudwatch/config/cloudwatch.yml new file mode 100644 index 00000000000..2af7bebff30 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/config/cloudwatch.yml @@ -0,0 +1,22 @@ +type: s3 +queue_url: {{ .queue_url }} + +{{ if .credential_profile_name }} +credential_profile_name: {{ .credential_profile_name }} +{{ end }} + +{{ if .shared_credential_file }} +shared_credential_file: {{ .shared_credential_file }} +{{ end }} + +{{ if .visibility_timeout }} +visibility_timeout: {{ .visibility_timeout }} +{{ end }} + +{{ if .api_timeout }} +api_timeout: {{ .api_timeout }} +{{ end }} + +{{ if .endpoint }} +endpoint: {{ .endpoint }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml new file mode 100644 index 00000000000..8bfbcc9f802 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -0,0 +1,6 @@ +type: log +paths: + {{ range $i, $path := .paths }} + - {{$path}} + {{ end }} +exclude_files: [".gz$"] diff --git a/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml b/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml new file mode 100644 index 00000000000..d1f65f3ba85 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/ingest/pipeline.yml @@ -0,0 +1,25 @@ +description: "Pipeline for CloudWatch logs" + +processors: + - grok: + field: message + patterns: + - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{GREEDYDATA:message}" + - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{GREEDYDATA:message}" + + - date: + field: '_tmp.timestamp' + target_field: "@timestamp" + ignore_failure: true + formats: + - 'ISO8601' + + - remove: + field: + - _tmp + ignore_missing: true + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml new file mode 100644 index 00000000000..b71b96bbef1 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml @@ -0,0 +1,14 @@ +module_version: 1.0 + +var: + - name: input + default: s3 + - name: queue_url + - name: shared_credential_file + - name: credential_profile_name + - name: visibility_timeout + - name: api_timeout + - name: endpoint + +ingest_pipeline: ingest/pipeline.yml +input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log new file mode 100644 index 00000000000..4487fdf08d2 --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log @@ -0,0 +1,6 @@ +2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root. +2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms. +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22) +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22) +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds. +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s diff --git a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json new file mode 100644 index 00000000000..11d33c51e0b --- /dev/null +++ b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json @@ -0,0 +1,62 @@ +[ + { + "@timestamp": "2020-02-20T07:01:01.000Z", + "event.dataset": "aws.cloudwatch", + "event.module": "aws", + "fileset.name": "cloudwatch", + "input.type": "log", + "log.offset": 0, + "message": "ip-172-31-81-156 systemd: Stopping User Slice of root.", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:18.000Z", + "event.dataset": "aws.cloudwatch", + "event.module": "aws", + "fileset.name": "cloudwatch", + "input.type": "log", + "log.offset": 96, + "message": "ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms.", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "event.dataset": "aws.cloudwatch", + "event.module": "aws", + "fileset.name": "cloudwatch", + "input.type": "log", + "log.offset": 211, + "message": "ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "event.dataset": "aws.cloudwatch", + "event.module": "aws", + "fileset.name": "cloudwatch", + "input.type": "log", + "log.offset": 345, + "message": "ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "event.dataset": "aws.cloudwatch", + "event.module": "aws", + "fileset.name": "cloudwatch", + "input.type": "log", + "log.offset": 461, + "message": "ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds.", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "event.dataset": "aws.cloudwatch", + "event.module": "aws", + "fileset.name": "cloudwatch", + "input.type": "log", + "log.offset": 586, + "message": "ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", + "service.type": "aws" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/ec2/_meta/fields.yml b/x-pack/filebeat/module/aws/ec2/_meta/fields.yml new file mode 100644 index 00000000000..f6c21a4d7b6 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/_meta/fields.yml @@ -0,0 +1,11 @@ +- name: ec2 + type: group + release: beta + default_field: false + description: > + Fields for AWS EC2 logs in CloudWatch. + fields: + - name: ip_address + type: keyword + description: > + The internet address of the requester. diff --git a/x-pack/filebeat/module/aws/ec2/config/ec2.yml b/x-pack/filebeat/module/aws/ec2/config/ec2.yml new file mode 100644 index 00000000000..2af7bebff30 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/config/ec2.yml @@ -0,0 +1,22 @@ +type: s3 +queue_url: {{ .queue_url }} + +{{ if .credential_profile_name }} +credential_profile_name: {{ .credential_profile_name }} +{{ end }} + +{{ if .shared_credential_file }} +shared_credential_file: {{ .shared_credential_file }} +{{ end }} + +{{ if .visibility_timeout }} +visibility_timeout: {{ .visibility_timeout }} +{{ end }} + +{{ if .api_timeout }} +api_timeout: {{ .api_timeout }} +{{ end }} + +{{ if .endpoint }} +endpoint: {{ .endpoint }} +{{ end }} diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml new file mode 100644 index 00000000000..8bfbcc9f802 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -0,0 +1,6 @@ +type: log +paths: + {{ range $i, $path := .paths }} + - {{$path}} + {{ end }} +exclude_files: [".gz$"] diff --git a/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml b/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml new file mode 100644 index 00000000000..0ada24c6f77 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/ingest/pipeline.yml @@ -0,0 +1,24 @@ +description: "Pipeline for EC2 logs in CloudWatch" + +processors: + - grok: + field: message + patterns: + - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{IPORHOST:aws.ec2.ip_address} %{DATA:process.name}(?:\\[%{POSINT:process.pid}\\])?: %{GREEDYDATA:message}" + + - date: + field: '_tmp.timestamp' + target_field: "@timestamp" + ignore_failure: true + formats: + - 'ISO8601' + + - remove: + field: + - _tmp + ignore_missing: true + +on_failure: + - set: + field: "error.message" + value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/aws/ec2/manifest.yml b/x-pack/filebeat/module/aws/ec2/manifest.yml new file mode 100644 index 00000000000..b71b96bbef1 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/manifest.yml @@ -0,0 +1,14 @@ +module_version: 1.0 + +var: + - name: input + default: s3 + - name: queue_url + - name: shared_credential_file + - name: credential_profile_name + - name: visibility_timeout + - name: api_timeout + - name: endpoint + +ingest_pipeline: ingest/pipeline.yml +input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/ec2/test/ec2.log b/x-pack/filebeat/module/aws/ec2/test/ec2.log new file mode 100644 index 00000000000..4487fdf08d2 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/test/ec2.log @@ -0,0 +1,6 @@ +2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root. +2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms. +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22) +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22) +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds. +2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s diff --git a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json new file mode 100644 index 00000000000..c2635e6a802 --- /dev/null +++ b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json @@ -0,0 +1,78 @@ +[ + { + "@timestamp": "2020-02-20T07:01:01.000Z", + "aws.ec2.ip_address": "ip-172-31-81-156", + "event.dataset": "aws.ec2", + "event.module": "aws", + "fileset.name": "ec2", + "input.type": "log", + "log.offset": 0, + "message": "Stopping User Slice of root.", + "process.name": "systemd", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:18.000Z", + "aws.ec2.ip_address": "ip-172-31-81-156", + "event.dataset": "aws.ec2", + "event.module": "aws", + "fileset.name": "ec2", + "input.type": "log", + "log.offset": 96, + "message": "XMT: Solicit on eth0, interval 125240ms.", + "process.name": "dhclient", + "process.pid": "3000", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "aws.ec2.ip_address": "ip-172-31-81-156", + "event.dataset": "aws.ec2", + "event.module": "aws", + "fileset.name": "ec2", + "input.type": "log", + "log.offset": 211, + "message": "DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", + "process.name": "dhclient", + "process.pid": "2898", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "aws.ec2.ip_address": "ip-172-31-81-156", + "event.dataset": "aws.ec2", + "event.module": "aws", + "fileset.name": "ec2", + "input.type": "log", + "log.offset": 345, + "message": "DHCPACK from 172.31.80.1 (xid=0x4575af22)", + "process.name": "dhclient", + "process.pid": "2898", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "aws.ec2.ip_address": "ip-172-31-81-156", + "event.dataset": "aws.ec2", + "event.module": "aws", + "fileset.name": "ec2", + "input.type": "log", + "log.offset": 461, + "message": "bound to 172.31.81.156 -- renewal in 1599 seconds.", + "process.name": "dhclient", + "process.pid": "2898", + "service.type": "aws" + }, + { + "@timestamp": "2020-02-20T07:02:37.000Z", + "aws.ec2.ip_address": "ip-172-31-81-156", + "event.dataset": "aws.ec2", + "event.module": "aws", + "fileset.name": "ec2", + "input.type": "log", + "log.offset": 586, + "message": "[get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", + "process.name": "ec2net", + "service.type": "aws" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index 76b42b6232b..f3d84e53119 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzMW1uT2zayfvev6PJLxlWSTsVJnTo1p7JV8ni80WZiz47kZPeJhoiWiBUEMAAoWf71Ww2AF4mk5iIpu3qwNSLZ/XWj7wCHsMLdNbCtfQXghJN4DePfp68ADEpkFq9hjo69AuBoUyNyJ7S6hr+8AgD4VfNCIiy0gYwpLoVagtRLCwuj10Rm9ApgIVBye+0fGIJiayzZ0cftcryGpdFFHn/p4EOfD55MRdnzGcWrTRZNNqnUBXeGCVld6uJIn0Npyw/HBSukSzyLa1gwaXHvcifYJmBtPN4bwjIjLHvQu+A3RcANKpds0Fih1d4dpSQr3G214QfXjgCjzyzDJqJIH/QCXIYEMDAm9GvmRp3QCosmERyVE27XCe1QyW1gw05kRHkSCQNKXBOUVCvHhLLA0TEhLbC5LpzHS9xAL1q0JuNfoQQILmMO1oyjf8TgHwVaNwCmOGwzkWaQGvT3MmlhiwZb5AqLfASTBThc59ows2s94+8ZeA4lbpvprYVMb+nXFs0WAT0nKZGPDm7tMpLmapAOWheP20h7OTpuCCsSNewF61nyhnebQ0t9PpK2YZRQxmv2TSt4QKsLkyJ8ZGuEq/HDxzclwNwIlYqcyYM1T5mUh2ptoE5TtDZZ4S4RXfjOhT/wIUIweR8Qbpn1hgNOgxVL1bTQfsAWLTltQo6BX10v5C4vfCrgyaKJxQP16twKlzXcwGJamC6TgH0TJ3erHMOLnhu9ERwtCBViDYWh2rOjjJ10K9WlBplD7kOty7TFJsuOR/tcqanc9YIlrHAZUUmJeufdj1vFUxUN0To2TBYIwoIz9H9Uv9bOB0XQxgc1/31LovYS64xMUUX1gjJptdfhnqxheVm32unz64cxcNyIFP8ftMvQbIXFQciObYNt6tWvFVktZ64PfNDpkRueo1Ai44O8E2uEbYbBu9q229aYsLZoB+JaFqE2eoU8mXfZ/bnCBbEqAxvVERYN6b0vndkizYB1WT2UkfP25i2MC6dhmjJfssUK5VYy60QK75Ap65hcdad9NEabJNX8cHWeXo50Z/2mdJ5JZf7RWA26wijrYwhdP4Zvjday5TkhTo6DCUm/QaRctCNQI60kZ4at0aE5XLdTVVoTHpAymdoNYtgk+7YUhUMk78s3NVKba2UxicH73EBL+lVyoEDFUnrGlqa+QkgzppZo4SqE/EG7RMvJ3wdk0hwlkusHIm+65WKcC7rOZOILXs72qv9TRRtX5CkOsUZiC+V1lcKUdrRYLhpNi1BpddpUqjpuUq0S5tQVConJAw4F4EKg3TMcf1vpwHMUatmudpmUyGGJCg1z/nlhA+keZ/btT0dte5In7+Mva9vGkpQAeWOtDKba8B4zysXJPdqjOMf3k6pRY9bqVNS52l/f2nEubpiULUpeghnJeUTXa6bY0ntf8IVz+gG801oiUz1mtM2QqoiGtoWFQ0eEBsJwV58LMJ5oJbt70pOXosYqLOic7IRWhAB71kNiXV/ojae+e+mOoy/pm8cghfXxo6IdWw3kIFSt2uc2lpfr5qoWbvzwsV2xNPoyXaiOiHYuGOPAgLoxXeb4CExvFZrLttyPqMYHp8pTTLmSoVfyo7rra7a1wxh3hx7ZNSWbIT3q/+6xwFTkgpy9V8GnOMwD5gapwAixi9U69r5vMEWx8fFV2GPOHOUKESmJo5/Lxdiq/iR2AxAqlQWnGnlLqJ0RyyWakBa6g2xoNYINFbJPqIwZ5FGms6r9r58n7xvZa75rTvmchkKJPwqUu9Kkmte7BYojV68cakWoSg81VYziNtSRTgMXiwUa+iNMkPc/0QRst0o2eZqg4rkW51bJwQr/dn8DJSPypjD7izVMbPx8W+XFbucget5pYMr3vc2mpWq+ykZr+kMta1XQyPmrQ7l6Z9HL/Un0U0fNt3fvnjVjbsWIk0fLzaZVasZhziRTKfb0QSfVd50AmvPKPQBeSZu3cEc/vos/9tikY2aJLvHLM2qnwRMhjh8+lggDo2AH9U7Ko00ZJXxsJ6gTcXnriZRbwRoh1Uph2l/Z5EY7nerDaHIiqJJq95peZc7l1Bu5NO9p9KpW22iqiYRaJk6scWQx7US6kJodVsBPsTvtmAyjJqHAYqoVt2CFSvFAe6GVC12dsLWOC+WEBLEXWKmwXNKSUOqZs3SFqqcRiRf/i8RsiEFXIkBwQsq9H6xjxtnY3VLKfWQQ8R+WsBpYNNeuypR7Uu6vpVePFL0FT626INe6u9qRutVeP0+q6EjNlVKwFlKKKOwgShvg6xwV7gmUSm0Pp6NV5JQ2oThmM7bCy8pRTrRnd1OoWJKiU73O/QToQC7QHVaaMQtzRAVoHZtLYbM+0Ur3E4cN2okRbnIPjHOD1pZLUxpRbemhWn4sApcIc21e3sN3R2FtXNmBnIqOQvaommVZx1xhT5sqd0IOhIEIt93zqnm17aDhAcqH5L9Om9BJf+mF/qW72rcySUWenTtRT6d3EOiGvR2hyAn+x/9cLUJPaUOYLpOpiX2VrZ+NK820RZWkaNxFK67AB4iPWPhNL4j9atiFbRjBS+FbNIKdWbmBJqhiPUdzYVmESvXap1dpEybx3MFEKIdLNHEiqBc+gns+jYw633WV8KUfB6n81kaUuD8d0TeedE3WTpSDYHvioX7vQWBYiqf0tZ2s/c4/tejREr78Yzhef1PDGXEbTvgXyJDxvq5rzVyaIU9MIamcErpjB//ksj1QrRfZ106FrPYvPYT9LUyxoIKX7omXe2buoUjCr5gW7f35E4HHCUdJPOwb76W6eifwaqHNlhk+gIX4inxYZobB3qb6aDR6M4KJg5Sp8iwTWNygYTKop8cPDXJhMHVJYc4cTT4/3MUI7TUe+fjthfDfltlKBUc2W0cGmX3xzkcntLD/G+iW28DVYkR0CyZkE1eV234Ic++Lz1mmP/jRD5ryTM9zhi7zIl2hS7omzKdGBaa0EimT4ZhIPdb2vMo/4nw5wOgp1fy1y02GAv0QCQ5PGUVfo9VeMqH696XX2mHSU4y3fn6K5+c5MyFXOjQK3WFZHlH2RdXq8p+0qBU/v+nNYOjNs1D7B3rK+ebFNo1boMdgnaFQuTeNriaj3cNoZPUsthtqta92XvXW+3h+9MUhCweAgGMqGRX+zML00/h+VN05gIfb6Wz082x2n6zRZZqPyn0jv2E9gN9v300ns9tjt2gD78azm59H72/vbme3o0/v/nZ7M+sWfYVnzs6vV7h73Tx2UOdgSg2oqKfhHuTr4esyDNeq4hrDyQVHLTfzRxqrEyfHLa0w4ryyPATCw88Pkz2JSPdVYImHgrqhUVeXhGbujJMKVazRiDTgaLab9VbjkdMcZzhr1d0JVW546xPtjebYXGelYwbWaVoY0zsL2Tm0ie07K/BijcXmppqxeT6+QR8Afi235LxK68HwBg1Vu00xvqHRPWFk/i8qqaz41q3ZU8ZSRLRKuZ4P9V3eAnunIv5JPyi7iCb35l+HqVYoWEixzFxjp8+XNd9ZyNHYnIrCTY+FusKohBldKP6nwWeuYcA2p2TdKM13ujCPHWZboDHnztB7LY63zYfIJ3Zhj/ep/o0Ktjzl7M0ToX22aIZj4nS0RYzHjc7euJbHmCbvy3FilXmemmwiiQl/LOVk+syVDQnwdcjW34aCD9/607OVNeJXh4rXBRdM3vcM4MRSMVcYvMy7PRX5Uk8DmIrlbx4tfflx0H7zoFkx7gWJF9eVYTqZ2EK0jnKfOmXElISbauogLNyxHRq4mk7v3pQj0fpoJS61E9ULAmT+0y7R6ELPpKEW2W/LXGy3ujqVv8cwvlM0Llz2s/fVcDh2/57gxXYAfy/Q7Kah9Kb7/qC/y1r8Kjc4JNtATiXem5cvrfeqwPS8uqjOZpRmGQeV9LXjXAUcjPku4k0zw5T1mx/B0KblKwNXs7vpmyqaNSwtzi0PN/oap10WUm+fPqFovZX41BnFb/c3QKyeNZu4iBIJyQdCcqeXtmThX6fb6YJWOx6g9+9bxgNu4VB9qV9h4W31AJUl1DIySAvr9LrviR5bOcOht+7K2h+Pqg67lbuT5RL0jdodmsUlJsT1nECh22qzqnl5bOH0kz+DYthiIdK4n60NPz53vci4tTxQ1nW6OeIbwPjm5vZ+RpHr4ba/WZZ6eayZezFSqZdLiqSxlYvKLZd3AJ9+GcDHT+/Hs7FPtb9M7ul737Jbx9RFV71k4VX7XVuzL7CKQVmbVbSF9aNFH/V2uug5F7RyiTUp47w7YbxkVpczSv9DiRuUcKWNWArF5JtyttneUo/i9CPk1v0pCDk1gyqk7gbMMlwcxbnJ0wtajD/fSH5YvW991uhhi7nC84fdGn9gcEkRXJonC8mWZ44sc+HWzK5is1YlDi2l3lLEmd3cg2d7DW9/mv7z4+D7/6P/huObXwbf//Rh8nHw408P01k35MsdsAxau4bJ/ebHAf37v76Hu/0wHr36dwAAAP//TiBmYw==" + return "eJzMW91zGzeSf/df0eWXyFUkr+Kkrq50lauiZfnCjWJrRTrZfRqDQJPECgQmAEY0/ddvNYD5IGeG+iCZLB9sijPT+HWjv9EzhHvcXgLbuFcAXnqFlzD+ffoKwKJC5vAS5ujZKwCBjluZe2n0JfzfKwCAX40oFMLCWFgxLZTUS1Bm6WBhzZrIjF4BLCQq4S7DA0PQbI3lcvTx2xwvYWlNkadfOtahz4dApqIc1hmlq80lmstwZQrhLZOqutS1In32uS0/AhesUD4LS1zCgimHO5c7wTYBGxvwXhGWGWHZgd4Fv8kCPqD22QNaJ43euaPk5B63G2PF3rUDwOgzW2ETUaIPZgF+hQQwLkzo18yPOqEVDm0mBWov/bYT2r6Q28CGnciI8iQRBlS4JijcaM+kdiDQM6kcsLkpfMBLq4FZtGhNxr9CCRD8inlYM4HhEYt/FOj8AJgWsFlJvgJuMdzLlIMNWmyRKxyKEUwW4HGdG8vstvVMuGcQVihxu5XZOFiZDf3aotkiYObEJYrR3q1dStLcDZJB6+JhHWlvR8cNcUeShANjPVvesG67r6nPR9JWjBLKeM2+GQ136ExhOcJHtka4GN99fFMCzK3UXOZM7e05Z0rti7WBmnN0LrvHbSa78J0Kf1yHCMHkfUS4YS4oDngDTi51U0P7ATt0ZLQZGQZ+9b2Qu6zwqYAniyaWADSIcyP9qmEGDnlhu1QCdlWczK0yjMB6bs2DFOhA6uhryA3Vlp147KRbiY5bZB5FcLV+ZRw2l+x4tM+UmsJdL1jGCr8iKpyod979uFY8VdCQtOOBqQJBOvCW/k/iN8YHpwjGBqcWvm+I1V5inZ4piajeUKacCTLc4TVuL+sWO31+/TAGgQ+S4/+C8Su0G+lwEKNjW2Gbcg17RVormO8DH2V64IbnCJTIBCfv5Rphs8JoXW3dbUtMOle0HXHNi9QP5h5FNu/S+1O5C1qqdGyURzi0JPe+cOYKvgLWpfVQes7rq7cwLryBKWchZUsZyrVizksO75Bp55m67w77aK2xGTdif3eeno50R/0md2GRSv2Tslr0hdUu+BC6fgjfGp1jy1NCnBwGE4N+g0i5aQegJlpZzixbo0e7v2/HirQmPCBhMr0dJLdJ+u3IC0dP3hdvaqQuN9phlpz3qYGW9KvgQI6KcXrGlap+j8BXTC/RwUV0+YN2ipaTvQ9IpQUqJNOPRN5088WEkHSdqSwkvILtZP/HsjauyJMfYo3AFtPrKoRp42mzfFKaFqFS64ytRHVYpVopzLE7FANTABwTwIVEt6M44bbSgOco9bKd7TKlUMASNVrmw/PSRdI9xhzKn47c9ihL3sVf5raNLSkBisZeWeTGih41yuXRNdqjOMe3k6pQY84ZLutYHa5v3DiXV0ypFqXAwYz4PCDrNdNsGawv2sIp7QDeGaOQ6R412qyQsoiGtKWDfUOEBsJ4V58JMJEZrbpr0qO3osYqHZic9IR2hACHpYe0dH2h15+G6qXbj76kbh6Dki74j4p2KjVQgNS1aJ9bWJ6vmqtKuPHdx3bG0qjLTKE7PNqpYIzjAlSNmTLGJ2Bmo9Get+R+RDTBOVWWYsudjLVSaNVdXrKNGya/OwzILinYDOnR8HePBnKZSzL2XgEfYzB3mFukBCP6LlbLONi+RY7yIfhX6Q4Zc+IreqQstX7O52Or/JOWG4DUXBWCcuQNofZWLpdoY1jodrKx1Ig6VKg+plbMokg8nVTs//958r4RvebbZpfPGyi0/KNAtS1Vqnm9m6HUcg3CoVKEsvSYUyUv7mIe6Q0IuVigpT9iB3n3k1TAdYvkIecZapEbeWqR7O3wb7dXUC5E1hR7fymHSYVfKKsC2+0YRM97A0yHurdZtFTFV1loTX+oed1pSW+Y56tX++z9NS3p3wnLoy3pKh/jb/963FTAhmMGqRs8PLWjLvOMCWHRvdyNdCbIUnu0Gj0k6nUwCaqFtq0MqOZPl+aSvUxYN++edeDQChhHC6bZwVCGCZgzxTTHnqL4qGS/E0Czeb0DIAjp4S3c0I/v0o89Dsozu0Sfhe0ZtXOiIyGO7z6WCONCUQ/qY7VHK3TK/rCdrRyJK2hPotyK3AjcaI28P83NrfGGm/3QciSokmr3nl6svM+pUPY876n6q76LNZQgS73MvFzjyCHvRLpQhu2XQ0/RO+OZin1HqcEhN1o4cFJz3JNerOtjiS9dLeNCe6lA7kRZqjKWtCWUh8wZv0fdU5Wmi/9BbDbYoCsJIHip1M4PzjPrXWp1UP71SFfqL+aw6l41965Km3a43N3LIB4le7PfWnSRr3V3zFKm1Wt5HlfJkJo7pWEtlZKJ2UHiNsI3OWrcYYgr4/Zb5ZXnVC4jP+ZW7B7Py0d5vDG7mUK1JAmam3Ue2oF7fIHp0NIVczBH1IDOs7mSbtXHWml+cr9aP9LDTW73s4hSiWpNj6XTYx64RJgb+/KGTrcXNtaX5eix6Mhlj6rGpvPMF+64I4ZOyJEwEOG2eV40r7YNND5A8ZDs1xsb2ypfeqF/6S79nMq4zFenDtTT6Q1EuvGgT2oygv8KP1eb0JPaEKbzRGpavorWz8bFV8ahzjhaf9aMK64DtI5chBNQSM2LeCTfUIKXwndoJTuxcCNN0MV6jvbMvEjNzTqEV+UypvDUzoSKpyXa1B42i+DBwzqNiDrfdqXwpR1HrsI5V+K4PxzRN5F1tVmP5INgB+Ixf+9BYBnHY5ocnUuHMRDtq4jx5R/D8fqbHs5oteFEfIEVMtFXda2phEaR2UJROiVNxzjH0Wl7pFpvcsidClUdZgcIu+fZckEJL92TLvccwMQkCb8iL9rDGkcCT+2ukngcItgJdfWx8MXC2A2zYgAL+RXFsIwMg50Ji9Fo9GYEEw+c6XKwDRw+oGUqiqfHDi0KaZH7rLAn9iaf726Shw4ST+uEs6b434a5SgQHTt5HFpl78TFYJ7Q4DBDpljMB1WYkdAsmVRNXFdt+iIcgZ++zTH8IfUC05YDXc5ou84Lfo8+6jhuO9QpMGy05U3FmqD7jCGuVf6TDhgijJ1UL187XGYr0oyfYHzlLtka7vWRS9w8prI3HrCcZb/38FMvPc2ZjrHxycw/ajYY/bVOr9cIEBINhUM9C7053lc3us00QtECPwXlLrnLnaKJqk3efTCCrG/PdUKtD1tOKtz7UDa0vAas4DQYCuWKU+DMH00/j21F15wDurqez0c+z2W22Rr8yYlQeIobphQH8fv1uOpldH7rFWHg3nl39PHp/fXM9ux59eve366tZN+v3eOLo/Poet6+bMyh1DKbQgJpqGhFAvh6+Lt1wLSphMI6xeCq5WZhvrcaPDmtaYeVpebmLhIef7yY7HJHsK8eSJsS6oVFVl8Vi7oSdCl2s0UoecTTLzfrc+cBozwkG77orocoMr0OgvTICm/usTYrAhvPC2t5eyNajy1zf4MiLJZaKm6rHFtYJBfoA8Gt5PhtEWjeGH9BStttk4xta0+NG5v+ilMrJb92SPaYtRUSrkBvWoboraGBvVyQ8GRplZ5HkTv9rP9RKDQsllyvfOPYNac13DnK0Lqek8KFHQ31hdcasKbT40+Az31Bgl1OwbqTmW1PYxyYbF2jtqSP0TokTdPMurZOqsMfr1PB6DVseM4j1RGifHdrhmFY6WCKm2bOTF67lTNvkfdlOrCLPU4NNIjERj4WclTlxZkMMfB2y9behFMO3YZS60kb86lGLOuGCyfueBpxcauYLi+d50asiX8ppAFO5/C2gpS8/DtqvoTQzxh0n8eK8MnYnM1fI1lz/sV1G5MTc1FAF4eCGbdHCxXR686ZsidZztrg0XlZvi5D6T7tYows9nYaa5XAsc7bT6uoVjZ0F0wtm48Kvfg62Gield++JVuwG8PcC7XYaU2+67w/6u8zFL3KLQ9INFJTivXn51garioueVhbVoE6plqlRSV87hmxgr813FmuaWaZdOPyIijYt3x+5mN1M31TerKFpqW+5f9DXGH1aKLN5eoeiNVfz1B7Fb7dXQEs9qzdxFiESkg+E5MYsXblEeLdyawra7fQ2RZgYStOO8Q2LUr7SwdvqAUpLqGRkwAvnzbrviR5dOcEEZHdmHWblqsnH8nSy3IK+VrtHuzhHh7juE2j0G2Pv67UCtjgKF2ZQLFssJE/n2caKw33Xs7Rby+nCrlH3hG8A46ur69sZea676/5iWZnloWLuxUiVWS7Jk6ZSLgm33N4BfPplAB8/vR/PxiHU/jK5pe992+4802fd9XKJINrv2pJ9gVYMytysoi1daC0Gr7c1Rc9c0L3PnOVMiO6A8ZJeXc4o/A8VPqCCC2PlUmqm3pS9zfaRemKnH6Fw/k9BKKgY1DF0N2CW7uIgzoecn1FjwrAr2WH18v1JvYcr5hpP73Zr/HGBc7LgeZ4tFFue2LPMpV8zd5+KtSpwGKXMhjzO7OoWwrKX8Pan6T8/Dr7/H/pvOL76ZfD9Tx8mHwc//nQ3nXVDPt+AZZTaJUxuH34c0L//HWq46w/j0at/BwAA//+LQ/E/" } diff --git a/x-pack/filebeat/modules.d/aws.yml.disabled b/x-pack/filebeat/modules.d/aws.yml.disabled index 47cead91df5..76cf7aaaf86 100644 --- a/x-pack/filebeat/modules.d/aws.yml.disabled +++ b/x-pack/filebeat/modules.d/aws.yml.disabled @@ -2,7 +2,33 @@ # Docs: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-aws.html - module: aws - s3access: + cloudtrail: + enabled: false + + # AWS SQS queue url + #var.queue_url: https://sqs.myregion.amazonaws.com/123456/myqueue + + # Filename of AWS credential file + # If not set "$HOME/.aws/credentials" is used on Linux/Mac + # "%UserProfile%\.aws\credentials" is used on Windows + #var.shared_credential_file: /etc/filebeat/aws_credentials + + # Profile name for aws credential + # If not set the default profile is used + #var.credential_profile_name: fb-aws + + # The duration that the received messages are hidden from ReceiveMessage request + # Default to be 300s + #var.visibility_timeout: 300s + + # Maximum duration before AWS API request will be interrupted + # Default to be 120s + #var.api_timeout: 120s + + # Custom endpoint used to access AWS APIs + #var.endpoint: amazonaws.com + + cloudwatch: enabled: false # AWS SQS queue url @@ -54,7 +80,7 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com - vpcflow: + s3access: enabled: false # AWS SQS queue url @@ -80,7 +106,7 @@ # Custom endpoint used to access AWS APIs #var.endpoint: amazonaws.com - cloudtrail: + vpcflow: enabled: false # AWS SQS queue url