Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport to 6.x: Multiple doc PRs (#7593 #7719 #7798 #7813 #7816 #7845 #7854 #7907) #7919

Merged
merged 8 commits into from
Aug 9, 2018
3 changes: 3 additions & 0 deletions auditbeat/docs/configuring-howto.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ The following topics describe how to configure {beatname_uc}:
* <<using-environ-vars>>
* <<yaml-tips>>
* <<regexp-support>>
* <<http-endpoint>>
* <<{beatname_lc}-reference-yml>>

After changing configuration settings, you need to restart {beatname_uc} to
Expand Down Expand Up @@ -76,4 +77,6 @@ include::../../libbeat/docs/yaml.asciidoc[]

include::../../libbeat/docs/regexp.asciidoc[]

include::../../libbeat/docs/http-endpoint.asciidoc[]

include::../../libbeat/docs/reference-yml.asciidoc[]
33 changes: 12 additions & 21 deletions auditbeat/docs/getting-started.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -168,17 +168,7 @@ If you accept the default configuration without specifying additional modules,
+
See <<configuring-howto-{beatname_lc}>> for more details about configuring modules.

. If you are sending output to Elasticsearch (and not using Logstash), set the
IP address and port where {beatname_uc} can find the Elasticsearch installation:
+
[source,yaml]
----------------------------------------------------------------------
output.elasticsearch:
hosts: ["127.0.0.1:9200"]
----------------------------------------------------------------------
+
If you are sending output to Logstash, make sure you
<<logstash-output,Configure the Logstash output>> instead.
include::../../libbeat/docs/step-configure-output.asciidoc[]

include::../../libbeat/docs/step-configure-kibana-endpoint.asciidoc[]

Expand All @@ -189,13 +179,13 @@ include::../../libbeat/docs/step-test-config.asciidoc[]
include::../../libbeat/docs/step-look-at-config.asciidoc[]

[id="{beatname_lc}-template"]
=== Step 3: Load the index template in Elasticsearch
=== Step 3: Load the index template in {es}

:allplatforms:
include::../../libbeat/docs/shared-template-load.asciidoc[]

[[load-kibana-dashboards]]
=== Step 4: Set up the Kibana dashboards
=== Step 4: Set up the {kib} dashboards

:allplatforms:
include::../../libbeat/docs/dashboards.asciidoc[]
Expand All @@ -204,8 +194,8 @@ include::../../libbeat/docs/dashboards.asciidoc[]
=== Step 5: Start {beatname_uc}

Run {beatname_uc} by issuing the appropriate command for your platform. If you
are accessing a secured Elasticsearch cluster, make sure you've configured
credentials as described in <<{beatname_lc}-configuration>>.
are accessing a secured {es} cluster, make sure you've configured credentials as
described in <<{beatname_lc}-configuration>>.

NOTE: If you use an init.d script to start {beatname_uc} on deb or rpm, you can't
specify command line flags (see <<command-line-options>>). To specify flags,
Expand Down Expand Up @@ -234,7 +224,7 @@ sudo ./{beatname_lc} -e -c {beatname_lc}.yml -d "publish"
----------------------------------------------------------------------
<1> To monitor system files, you'll be running {beatname_uc} as root, so you
need to change ownership of the configuration file, or run {beatname_uc} with
`-strict.perms=false` specified. See
`--strict.perms=false` specified. See
{libbeat}/config-file-permissions.html[Config File Ownership and Permissions]
in the _Beats Platform Reference_.

Expand All @@ -252,22 +242,22 @@ By default the log files are stored in +C:{backslash}ProgramData{backslash}{beat

==== Test the {beatname_uc} installation

To verify that your server's statistics are present in Elasticsearch, issue
the following command:
To verify that your server's statistics are present in {es}, issue the following
command:

["source","sh",subs="attributes"]
----------------------------------------------------------------------
curl -XGET 'http://localhost:9200/{beatname_lc}-*/_search?pretty'
----------------------------------------------------------------------

Make sure that you replace `localhost:9200` with the address of your
Elasticsearch instance.
Make sure that you replace `localhost:9200` with the address of your {es}
instance.

On Windows, if you don't have cURL installed, simply point your browser to the
URL.

[[view-kibana-dashboards]]
=== Step 6: View the sample Kibana dashboards
=== Step 6: View the sample {kib} dashboards

To make it easier for you to start auditing the activities of users and
processes on your system, we have created example {beatname_uc} dashboards.
Expand All @@ -278,4 +268,5 @@ include::../../libbeat/docs/opendashboards.asciidoc[]
The dashboards are provided as examples. We recommend that you
{kibana-ref}/dashboard.html[customize] them to meet your needs.

[role="screenshot"]
image:./images/auditbeat-file-integrity-dashboard.png[Auditbeat File Integrity Dashboard]
3 changes: 3 additions & 0 deletions filebeat/docs/configuring-howto.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ The following topics describe how to configure Filebeat:
* <<configuration-autodiscover>>
* <<yaml-tips>>
* <<regexp-support>>
* <<http-endpoint>>
* <<{beatname_lc}-reference-yml>>

--
Expand Down Expand Up @@ -85,4 +86,6 @@ include::../../libbeat/docs/yaml.asciidoc[]

include::../../libbeat/docs/regexp.asciidoc[]

include::../../libbeat/docs/http-endpoint.asciidoc[]

include::../../libbeat/docs/reference-yml.asciidoc[]
100 changes: 36 additions & 64 deletions filebeat/docs/filebeat-modules-options.asciidoc
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
:modulename: apache2 mysql

[id="configuration-{beatname_lc}-modules"]
== Specify which modules to run

Expand Down Expand Up @@ -39,26 +41,20 @@ under `modules.d` by running the
For example, to enable the `apache2` and `mysql` configs in the `modules.d`
directory, you use:

["source","sh",subs="attributes"]
----
./{beatname_lc} modules enable apache2 mysql
----
include::./include/enable-modules-command.asciidoc[]

Then when you run {beatname_uc}, it loads the corresponding module configurations
specified in the `modules.d` directory (for example, `modules.d/apache2.yml` and
`modules.d/mysql.yml`).

To see a list of enabled and disabled modules, run:

["source","sh",subs="attributes"]
----
./{beatname_lc} modules list
----
include::./include/list-modules-command.asciidoc[]

The default module configurations assume that the logs you’re harvesting are
in the location expected for your OS and that the behavior of the module is
appropriate for your environment. To change the default configurations, you need
to specify variable settings. See <<specify-variable-settings>>.
to <<specify-variable-settings,specify variable settings>>.

[float]
[[enable-modules-cli]]
Expand All @@ -72,18 +68,34 @@ along with any modules that are enabled in the configuration file or `modules.d`
directory. If there's a conflict, the configuration specified at the command
line is used.

The following example shows how to enable and run the `nginx`,`mysql`, and
`system` modules.
The following command enables and runs the `nginx`,`mysql`, and `system`
modules.

*deb and rpm:*

["source","sh",subs="attributes"]
----
{beatname_lc} --modules nginx,mysql,system
----

*mac:*

["source","sh",subs="attributes"]
----
./{beatname_lc} -e --modules nginx,mysql,system
./{beatname_lc} --modules nginx,mysql,system
----

*win:*

["source","sh",subs="attributes"]
----
PS > .{backslash}{beatname_lc}.exe --modules nginx,mysql,system
----

The default module configurations assume that the logs you’re harvesting are
in the location expected for your OS and that the behavior of the module is
appropriate for your environment. To change the default configurations, you need
to specify variable settings. See <<specify-variable-settings>>.
to <<specify-variable-settings,specify variable settings>>.

[float]
[[enable-modules-config-file]]
Expand Down Expand Up @@ -116,45 +128,12 @@ The following example shows a configuration that runs the `nginx`,`mysql`, and
The default module configurations assume that the logs you’re harvesting are
in the location expected for your OS and that the behavior of the module is
appropriate for your environment. To change the default configurations, you need
to specify variable settings. See <<specify-variable-settings>>.
to <<specify-variable-settings,specify variable settings>>.

[[specify-variable-settings]]
=== Specify variable settings

Each module and fileset has variables that you can set to change the default
behavior of the module, including the paths where the module looks for log
files. For example, the `var.paths` setting in the following example sets the
path for `nginx` access log files:

[source,yaml]
----
- module: nginx
access:
var.paths: ["/var/log/nginx/access.log*"]
----

To set the path for Nginx access log files at the command line, you use
the `-M` flag. For example:

["source","shell",subs="attributes"]
----
./{beatname_lc} -M "nginx.access.var.paths=[/var/log/nginx/access.log*]"
----

When you set variables at the command line, the variable name needs to include
the module and fileset name. You can specify multiple overrides. Each override
must start with `-M`.

Here you see how to use the `-M` flag along with the `--modules` flag. This
example shows how to set the paths to the access and error logs:

["source","sh",subs="attributes"]
----
./{beatname_lc} --modules nginx -M "nginx.access.var.paths=[/var/log/nginx/access.log*]" -M "nginx.error.var.paths=[/var/log/nginx/error.log*]"
----

For information about specific variables that you can set for each fileset,
see the <<{beatname_lc}-modules,documentation for the modules>>.
include::./include/set-paths.asciidoc[]

[[advanced-settings]]
=== Advanced settings
Expand All @@ -172,35 +151,28 @@ configuration:
close_eof: true
----------------------------------------------------------------------

Or at the command line like this:
Or at the command line when you run {beatname_uc}:

["source","sh",subs="attributes"]
----------------------------------------------------------------------
./{beatname_lc} -M "nginx.access.input.close_eof=true"
-M "nginx.access.input.close_eof=true"
----------------------------------------------------------------------


Here you see how to use the `-M` flag along with the `--modules` flag:
You can use wildcards to change variables or settings for multiple
modules/filesets at once. For example, you can enable `close_eof` for all the
filesets in the `nginx` module:

["source","sh",subs="attributes"]
----------------------------------------------------------------------
./{beatname_lc} --modules nginx -M "nginx.access.input.close_eof=true"
-M "nginx.*.input.close_eof=true"
----------------------------------------------------------------------


You can use wildcards to change variables or settings for multiple
modules/filesets at once. For example, the following command enables
`close_eof` for all the filesets in the `nginx` module:
You can also enable `close_eof` for all inputs created by any of the modules:

["source","sh",subs="attributes"]
----------------------------------------------------------------------
./{beatname_lc} -M "nginx.*.input.close_eof=true"
-M "*.*.input.close_eof=true"
----------------------------------------------------------------------

The following command enables `close_eof` for all inputs created by any of
the modules:
:modulename!:

["source","sh",subs="attributes"]
----------------------------------------------------------------------
./{beatname_lc} -M "*.*.input.close_eof=true"
----------------------------------------------------------------------
20 changes: 4 additions & 16 deletions filebeat/docs/getting-started.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -130,11 +130,9 @@ endif::[]
=== Step 2: Configure Filebeat

TIP: <<filebeat-modules-overview,Filebeat modules>> provide the fastest getting
started experience for common log formats. See <<filebeat-modules-quickstart>>
to learn how to get started with modules. If you use Filebeat modules to get
started, you can skip the content in this section, including the remaining
getting started steps, and go directly to the <<filebeat-modules-quickstart>>
page.
started experience for common log formats. If you want use Filebeat modules,
skip this section, including the remaining getting started steps, and go
directly to <<filebeat-modules-quickstart>>.

include::../../libbeat/docs/shared-configuring.asciidoc[]

Expand Down Expand Up @@ -175,17 +173,7 @@ To fetch all files from a predefined level of subdirectories, the following patt
fetch log files from the `/var/log` folder itself. Currently it is not possible to recursively
fetch all files in all subdirectories of a directory.

. If you are sending output directly to Elasticsearch (and not using Logstash),
set the IP address and port where Filebeat can find the Elasticsearch installation:
+
[source,yaml]
----------------------------------------------------------------------
output.elasticsearch:
hosts: ["192.168.1.42:9200"]
----------------------------------------------------------------------
+
If you are sending output to Logstash, make sure you
configure the Logstash output in <<config-filebeat-logstash>>.
include::../../libbeat/docs/step-configure-output.asciidoc[]

include::../../libbeat/docs/step-configure-kibana-endpoint.asciidoc[]

Expand Down
8 changes: 3 additions & 5 deletions filebeat/docs/include/config-option-intro.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,9 @@
[id="{modulename}-settings"]
==== Variable settings

The +{modulename}+ module provides the following settings for configuring the
behavior of the module. Each fileset has separate settings.

If you don’t specify variable settings, the +{modulename}+ module uses the
defaults.
Each fileset has separate variable settings for configuring the behavior of the
module. If you don’t specify variable settings, the +{modulename}+ module uses
the defaults.

For more information, see <<specify-variable-settings>>. Also see
<<advanced-settings>>.
Expand Down
23 changes: 23 additions & 0 deletions filebeat/docs/include/enable-modules-command.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
--
*deb and rpm:*

["source","sh",subs="attributes"]
----
{beatname_lc} modules enable {modulename}
----

*mac:*

["source","sh",subs="attributes"]
----
./{beatname_lc} modules enable {modulename}
----

*win:*

["source","sh",subs="attributes"]
----
PS > .{backslash}{beatname_lc}.exe modules enable {modulename}
----

--
22 changes: 22 additions & 0 deletions filebeat/docs/include/list-modules-command.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
--
*deb and rpm:*

["source","sh",subs="attributes"]
----
{beatname_lc} modules list
----

*mac:*

["source","sh",subs="attributes"]
----
./{beatname_lc} modules list
----

*win:*

["source","sh",subs="attributes"]
----
PS > .{backslash}{beatname_lc}.exe modules list
----
--
Loading