Elastic Agent inputs
When you configure inputs for standalone Elastic Agents, the following values are supported for the input type parameter.
Expand any section to view the available inputs:
Audit the activities of users and processes on your systems
| Input | Description | Learn more |
|---|---|---|
audit/auditd |
Receives audit events from the Linux Audit Framework that is a part of the Linux kernel. | Auditd Module (Auditbeat docs) |
audit/file_integrity |
Sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes. | File Integrity Module (Auditbeat docs) |
audit/system |
[beta] Collects various security related information about a system. All datasets send both periodic state information (e.g. all currently running processes) and real-time changes (e.g. when a new process starts or stops). | System Module (Auditbeat docs) |
Collect metrics from operating systems and services running on your servers
| Input | Description | Learn more |
|---|---|---|
activemq/metrics |
Periodically fetches JMX metrics from Apache ActiveMQ. | ActiveMQ module (Metricbeat docs) |
apache/metrics |
Periodically fetches metrics from Apache HTTPD servers. | Apache module (Metricbeat docs) |
aws/metrics |
Periodically fetches monitoring metrics from AWS CloudWatch using GetMetricData API for AWS services. | AWS module (Metricbeat docs) |
awsfargate/metrics |
[beta] Retrieves various metadata, network metrics, and Docker stats about tasks and containers. | AWS Fargate module (Metricbeat docs) |
azure/metrics |
Collects and aggregates Azure logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting. | Azure module (Metricbeat docs) |
beat/metrics |
Collects metrics about any Beat or other software based on libbeat. | Beat module (Metricbeat docs) |
cloudfoundry/metrics |
Connects to Cloud Foundry loggregator to gather container, counter, and value metrics into a common data platform where it can be used for analysis, visualization, and alerting. | Cloudfoundry module (Metricbeat docs) |
containerd/metrics |
[beta] Collects cpu, memory and blkio statistics about running containers controlled by containerd runtime. | Containerd module (Metricbeat docs) |
docker/metrics |
Fetches metrics from Docker containers. | Docker module (Metricbeat docs) |
elasticsearch/metrics |
Collects metrics about Elasticsearch. | Elasticsearch module (Metricbeat docs) |
etcd/metrics |
This module targets Etcd V2 and V3. When using V2, metrics are collected using Etcd v2 API. When using V3, metrics are retrieved from the /metrics endpoint as intended for Etcd v3. |
Etcd module (Metricbeat docs) |
gcp/metrics |
Periodically fetches monitoring metrics from Google Cloud Platform using Stackdriver Monitoring API for Google Cloud Platform services. | Google Cloud Platform module (Metricbeat docs) |
haproxy/metrics |
Collects stats from HAProxy. It supports collection from TCP sockets, UNIX sockets, or HTTP with or without basic authentication. | HAProxy module (Metricbeat docs) |
http/metrics |
Used to call arbitrary HTTP endpoints for which a dedicated Metricbeat module is not available. | HTTP module (Metricbeat docs) |
iis/metrics |
Periodically retrieve IIS web server related metrics. | IIS module (Metricbeat docs) |
jolokia/metrics |
Collects metrics from Jolokia agents running on a target JMX server or dedicated proxy server. | Jolokia module (Metricbeat docs) |
kafka/metrics |
Collects metrics from the Apache Kafka event streaming platform. | Kafka module (Metricbeat docs) |
kibana/metrics |
Collects metrics about Kibana. | Kibana module (Metricbeat docs) |
kubernetes/metrics |
As one of the main pieces provided for Kubernetes monitoring, this module is capable of fetching metrics from several components. | Kubernetes module (Metricbeat docs) |
linux/metrics |
[beta] Reports on metrics exclusive to the Linux kernel and GNU/Linux OS. | Linux module (Metricbeat docs) |
logstash/metrics |
collects metrics about Logstash. | Logstash module (Metricbeat docs) |
memcached/metrics |
Collects metrics about the memcached memory object caching system. | Memcached module (Metricbeat docs) |
mongodb/metrics |
Periodically fetches metrics from MongoDB servers. | MongoDB module (Metricbeat docs) |
mssql/metrics |
The Microsoft SQL 2017 Metricbeat module. It is still under active development to add new Metricsets and introduce enhancements. | MSSQL module (Metricbeat docs) |
mysql/metrics |
Periodically fetches metrics from MySQL servers. | MySQL module (Metricbeat docs) |
nats/metrics |
Uses the Nats monitoring server APIs to collect metrics. | NATS module (Metricbeat docs) |
nginx/metrics |
Periodically fetches metrics from Nginx servers. | Nginx module (Metricbeat docs) |
oracle/metrics |
The Oracle module for Metricbeat. It is under active development with feedback from the community. A single Metricset for Tablespace monitoring is added so the community can start gathering metrics from their nodes and contributing to the module. | Oracle module (Metricbeat docs) |
postgresql/metrics |
Periodically fetches metrics from PostgreSQL servers. | PostgresSQL module (Metricbeat docs) |
prometheus/metrics |
Periodically scrapes metrics from Prometheus exporters. | Prometheus module (Metricbeat docs) |
rabbitmq/metrics |
Uses the HTTP API created by the management plugin to collect RabbitMQ metrics. | RabbitMQ module (Metricbeat docs) |
redis/metrics |
Periodically fetches metrics from Redis servers. | Redis module (Metricbeat docs) |
sql/metrics |
Allows you to execute custom queries against an SQL database and store the results in Elasticsearch. | SQL module (Metricbeat docs) |
stan/metrics |
Uses STAN monitoring server APIs to collect metrics. | Stan module (Metricbeat docs) |
statsd/metrics |
Spawns a UDP server and listens for metrics in StatsD compatible format. | Statsd module (Metricbeat docs) |
syncgateway/metrics |
[beta] Monitor a Sync Gateway instance by using its REST API. | SyncGateway module (Metricbeat docs) |
system/metrics |
Allows you to monitor your server metrics, including CPU, load, memory, network, processes, sockets, filesystem, fsstat, uptime, and more. | System module (Metricbeat docs) |
traefik/metrics |
Periodically fetches metrics from a Traefik instance. | Traefik module (Metricbeat docs) |
uwsgi/metrics |
By default, collects the uWSGI stats metricset, using StatsServer. | uWSGI module (Metricbeat docs) |
vsphere/metrics |
Uses the Govmomi library to collect metrics from any Vmware SDK URL (ESXi/VCenter). | vSphere module (Metricbeat docs) |
windows/metrics |
Collects metrics from Windows systems. | Windows module (Metricbeat docs) |
zookeeper/metrics |
Fetches statistics from the ZooKeeper service. | ZooKeeper module (Metricbeat docs) |
Forward and centralize log data
| Input | Description | Learn more |
|---|---|---|
aws-cloudwatch |
Stores log filesfrom Amazon Elastic Compute Cloud(EC2), AWS CloudTrail, Route53, and other sources. | AWS CloudWatch input (Filebeat docs) |
aws-s3 |
Retrieves logs from S3 objects that are pointed to by S3 notification events read from an SQS queue or directly polling list of S3 objects in an S3 bucket. | AWS S3 input (Filebeat docs) |
azure-blob-storage |
Reads content from files stored in containers which reside on your Azure Cloud. | Azure Blob Storage (Filebeat docs) |
azure-eventhub |
Reads messages from an azure eventhub. | Azure eventhub input (Filebeat docs) |
cel |
Reads messages from a file path or HTTP API with a variety of payloads using the Common Expression Language (CEL) and the mito CEL extension libraries. | Common Expression Language input (Filebeat docs) |
cloudfoundry |
Gets HTTP access logs, container logs and error logs from Cloud Foundry. | Cloud Foundry input (Filebeat docs) |
cometd |
Streams the real-time events from a Salesforce generic subscription Push Topic. | CometD input (Filebeat docs) |
container |
Reads containers log files. | Container input (Filebeat docs) |
docker |
Alias for container. |
- |
log/docker |
Alias for container. |
n/a |
entity-analytics |
Collects identity assets, such as users, from external identity providers. | Entity Analytics input (Filebeat docs) |
event/file |
Alias for log. |
n/a |
event/tcp |
Alias for tcp. |
n/a |
filestream |
Reads lines from active log files. Replaces and imporoves on the log input. |
filestream input (Filebeat docs) |
gcp-pubsub |
Reads messages from a Google Cloud Pub/Sub topic subscription. | GCP Pub/Sub input (Filebeat docs) |
gcs |
[beta] Reads content from files stored in buckets which reside on your Google Cloud. | Google Cloud Storage input (Filebeat docs) |
http_endpoint |
[beta] Initializes a listening HTTP server that collects incoming HTTP POST requests containing a JSON body. | HTTP Endpoint input (Filebeat docs) |
httpjson |
Read messages from an HTTP API with JSON payloads. | HTTP JSON input (Filebeat docs) |
journald |
[beta] A system service that collects and stores logging data. | Journald input (Filebeat docs) |
kafka |
Reads from topics in a Kafka cluster. | Kafka input (Filebeat docs) |
log |
DEPRECATED: Use the filestream input instead. |
n/a |
logfile |
Alias for log. |
n/a |
log/redis_slowlog |
Alias for redis. |
n/a |
log/syslog |
Alias for syslog. |
n/a |
mqtt |
Reads data transmitted using lightweight messaging protocol for small and mobile devices, optimized for high-latency or unreliable networks. | MQTT input (Filebeat docs) |
netflow |
Reads NetFlow and IPFIX exported flows and options records over UDP. | NetFlow input (Filebeat docs) |
o365audit |
[beta] Retrieves audit messages from Office 365 and Azure AD activity logs. | Office 365 Management Activity API input (Filebeat docs) |
osquery |
Collects and decodes the result logs written by osqueryd in the JSON format. | - |
redis |
[beta] Reads entries from Redis slowlogs. | Redis input (Filebeat docs) |
syslog |
Reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket. | Syslog input (Filebeat docs) |
tcp |
Reads events over TCP. | TCP input (Filebeat docs) |
udp |
Reads events over UDP. | UDP input (Filebeat docs) |
unix |
[beta] Reads events over a stream-oriented Unix domain socket. | Unix input (Filebeat docs) |
winlog |
Reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs (Elasticsearch or Logstash). | Winlogbeat Overview (Winlogbeat docs) |
Monitor the status of your services
| Input | Description | Learn more |
|---|---|---|
synthetics/http |
Connect via HTTP and optionally verify that the host returns the expected response. | HTTP options (Heartbeat docs) |
synthetics/icmp |
Use ICMP (v4 and v6) Echo Requests to check the configured hosts. | ICMP options (Heartbeat docs) |
synthetics/tcp |
Connect via TCP and optionally verify the endpoint by sending and/or receiving a custom payload. | TCP options (Heartbeat docs) |
View network traffic between the servers of your network
| Input | Description | Learn more |
|---|---|---|
packet |
Sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. | Packetbeat overview (Packetbeat docs) |