Elastic Agent inputs
When you configure inputs for standalone Elastic Agents, the following values are supported for the input type parameter.
Expand any section to view the available inputs:
Audit the activities of users and processes on your systems
| Input | Description | Learn more |
|---|---|---|
audit/auditd | Receives audit events from the Linux Audit Framework that is a part of the Linux kernel. | Auditd Module (Auditbeat docs) |
audit/file_integrity | Sends events when a file is changed (created, updated, or deleted) on disk. The events contain file metadata and hashes. | File Integrity Module (Auditbeat docs) |
audit/system | [beta] Collects various security related information about a system. All datasets send both periodic state information (e.g. all currently running processes) and real-time changes (e.g. when a new process starts or stops). | System Module (Auditbeat docs) |
Collect metrics from operating systems and services running on your servers
| Input | Description | Learn more |
|---|---|---|
activemq/metrics | Periodically fetches JMX metrics from Apache ActiveMQ. | ActiveMQ module (Metricbeat docs) |
apache/metrics | Periodically fetches metrics from Apache HTTPD servers. | Apache module (Metricbeat docs) |
aws/metrics | Periodically fetches monitoring metrics from AWS CloudWatch using GetMetricData API for AWS services. | AWS module (Metricbeat docs) |
awsfargate/metrics | [beta] Retrieves various metadata, network metrics, and Docker stats about tasks and containers. | AWS Fargate module (Metricbeat docs) |
azure/metrics | Collects and aggregates Azure logs and metrics from a variety of sources into a common data platform where it can be used for analysis, visualization, and alerting. | Azure module (Metricbeat docs) |
beat/metrics | Collects metrics about any Beat or other software based on libbeat. | Beat module (Metricbeat docs) |
cloudfoundry/metrics | Connects to Cloud Foundry loggregator to gather container, counter, and value metrics into a common data platform where it can be used for analysis, visualization, and alerting. | Cloudfoundry module (Metricbeat docs) |
containerd/metrics | [beta] Collects cpu, memory and blkio statistics about running containers controlled by containerd runtime. | Containerd module (Metricbeat docs) |
docker/metrics | Fetches metrics from Docker containers. | Docker module (Metricbeat docs) |
elasticsearch/metrics | Collects metrics about Elasticsearch. | Elasticsearch module (Metricbeat docs) |
etcd/metrics | This module targets Etcd V2 and V3. When using V2, metrics are collected using Etcd v2 API. When using V3, metrics are retrieved from the /metrics endpoint as intended for Etcd v3. | Etcd module (Metricbeat docs) |
gcp/metrics | Periodically fetches monitoring metrics from Google Cloud Platform using Stackdriver Monitoring API for Google Cloud Platform services. | Google Cloud Platform module (Metricbeat docs) |
haproxy/metrics | Collects stats from HAProxy. It supports collection from TCP sockets, UNIX sockets, or HTTP with or without basic authentication. | HAProxy module (Metricbeat docs) |
http/metrics | Used to call arbitrary HTTP endpoints for which a dedicated Metricbeat module is not available. | HTTP module (Metricbeat docs) |
iis/metrics | Periodically retrieve IIS web server related metrics. | IIS module (Metricbeat docs) |
jolokia/metrics | Collects metrics from Jolokia agents running on a target JMX server or dedicated proxy server. | Jolokia module (Metricbeat docs) |
kafka/metrics | Collects metrics from the Apache Kafka event streaming platform. | Kafka module (Metricbeat docs) |
kibana/metrics | Collects metrics about Kibana. | Kibana module (Metricbeat docs) |
kubernetes/metrics | As one of the main pieces provided for Kubernetes monitoring, this module is capable of fetching metrics from several components. | Kubernetes module (Metricbeat docs) |
linux/metrics | [beta] Reports on metrics exclusive to the Linux kernel and GNU/Linux OS. | Linux module (Metricbeat docs) |
logstash/metrics | collects metrics about Logstash. | Logstash module (Metricbeat docs) |
memcached/metrics | Collects metrics about the memcached memory object caching system. | Memcached module (Metricbeat docs) |
mongodb/metrics | Periodically fetches metrics from MongoDB servers. | MongoDB module (Metricbeat docs) |
mssql/metrics | The Microsoft SQL 2017 Metricbeat module. It is still under active development to add new Metricsets and introduce enhancements. | MSSQL module (Metricbeat docs) |
mysql/metrics | Periodically fetches metrics from MySQL servers. | MySQL module (Metricbeat docs) |
nats/metrics | Uses the Nats monitoring server APIs to collect metrics. | NATS module (Metricbeat docs) |
nginx/metrics | Periodically fetches metrics from Nginx servers. | Nginx module (Metricbeat docs) |
oracle/metrics | The Oracle module for Metricbeat. It is under active development with feedback from the community. A single Metricset for Tablespace monitoring is added so the community can start gathering metrics from their nodes and contributing to the module. | Oracle module (Metricbeat docs) |
postgresql/metrics | Periodically fetches metrics from PostgreSQL servers. | PostgresSQL module (Metricbeat docs) |
prometheus/metrics | Periodically scrapes metrics from Prometheus exporters. | Prometheus module (Metricbeat docs) |
rabbitmq/metrics | Uses the HTTP API created by the management plugin to collect RabbitMQ metrics. | RabbitMQ module (Metricbeat docs) |
redis/metrics | Periodically fetches metrics from Redis servers. | Redis module (Metricbeat docs) |
sql/metrics | Allows you to execute custom queries against an SQL database and store the results in Elasticsearch. | SQL module (Metricbeat docs) |
stan/metrics | Uses STAN monitoring server APIs to collect metrics. | Stan module (Metricbeat docs) |
statsd/metrics | Spawns a UDP server and listens for metrics in StatsD compatible format. | Statsd module (Metricbeat docs) |
syncgateway/metrics | [beta] Monitor a Sync Gateway instance by using its REST API. | SyncGateway module (Metricbeat docs) |
system/metrics | Allows you to monitor your server metrics, including CPU, load, memory, network, processes, sockets, filesystem, fsstat, uptime, and more. | System module (Metricbeat docs) |
traefik/metrics | Periodically fetches metrics from a Traefik instance. | Traefik module (Metricbeat docs) |
uwsgi/metrics | By default, collects the uWSGI stats metricset, using StatsServer. | uWSGI module (Metricbeat docs) |
vsphere/metrics | Uses the Govmomi library to collect metrics from any Vmware SDK URL (ESXi/VCenter). | vSphere module (Metricbeat docs) |
windows/metrics | Collects metrics from Windows systems. | Windows module (Metricbeat docs) |
zookeeper/metrics | Fetches statistics from the ZooKeeper service. | ZooKeeper module (Metricbeat docs) |
Forward and centralize log data
| Input | Description | Learn more |
|---|---|---|
aws-cloudwatch | Stores log filesfrom Amazon Elastic Compute Cloud(EC2), AWS CloudTrail, Route53, and other sources. | AWS CloudWatch input (Filebeat docs) |
aws-s3 | Retrieves logs from S3 objects that are pointed to by S3 notification events read from an SQS queue or directly polling list of S3 objects in an S3 bucket. | AWS S3 input (Filebeat docs) |
azure-blob-storage | Reads content from files stored in containers which reside on your Azure Cloud. | Azure Blob Storage (Filebeat docs) |
azure-eventhub | Reads messages from an azure eventhub. | Azure eventhub input (Filebeat docs) |
cel | Reads messages from a file path or HTTP API with a variety of payloads using the Common Expression Language (CEL) and the mito CEL extension libraries. | Common Expression Language input (Filebeat docs) |
cloudfoundry | Gets HTTP access logs, container logs and error logs from Cloud Foundry. | Cloud Foundry input (Filebeat docs) |
cometd | Streams the real-time events from a Salesforce generic subscription Push Topic. | CometD input (Filebeat docs) |
container | Reads containers log files. | Container input (Filebeat docs) |
docker | Alias for container. | - |
log/docker | Alias for container. | n/a |
entity-analytics | Collects identity assets, such as users, from external identity providers. | Entity Analytics input (Filebeat docs) |
event/file | Alias for log. | n/a |
event/tcp | Alias for tcp. | n/a |
filestream | Reads lines from active log files. Replaces and imporoves on the log input. | filestream input (Filebeat docs) |
gcp-pubsub | Reads messages from a Google Cloud Pub/Sub topic subscription. | GCP Pub/Sub input (Filebeat docs) |
gcs | [beta] Reads content from files stored in buckets which reside on your Google Cloud. | Google Cloud Storage input (Filebeat docs) |
http_endpoint | [beta] Initializes a listening HTTP server that collects incoming HTTP POST requests containing a JSON body. | HTTP Endpoint input (Filebeat docs) |
httpjson | Read messages from an HTTP API with JSON payloads. | HTTP JSON input (Filebeat docs) |
journald | [beta] A system service that collects and stores logging data. | Journald input (Filebeat docs) |
kafka | Reads from topics in a Kafka cluster. | Kafka input (Filebeat docs) |
log | DEPRECATED: Use the filestream input instead. | n/a |
logfile | Alias for log. | n/a |
log/redis_slowlog | Alias for redis. | n/a |
log/syslog | Alias for syslog. | n/a |
mqtt | Reads data transmitted using lightweight messaging protocol for small and mobile devices, optimized for high-latency or unreliable networks. | MQTT input (Filebeat docs) |
netflow | Reads NetFlow and IPFIX exported flows and options records over UDP. | NetFlow input (Filebeat docs) |
o365audit | [beta] Retrieves audit messages from Office 365 and Azure AD activity logs. | Office 365 Management Activity API input (Filebeat docs) |
osquery | Collects and decodes the result logs written by osqueryd in the JSON format. | - |
redis | [beta] Reads entries from Redis slowlogs. | Redis input (Filebeat docs) |
syslog | Reads Syslog events as specified by RFC 3164 and RFC 5424, over TCP, UDP, or a Unix stream socket. | Syslog input (Filebeat docs) |
tcp | Reads events over TCP. | TCP input (Filebeat docs) |
udp | Reads events over UDP. | UDP input (Filebeat docs) |
unix | [beta] Reads events over a stream-oriented Unix domain socket. | Unix input (Filebeat docs) |
winlog | Reads from one or more event logs using Windows APIs, filters the events based on user-configured criteria, then sends the event data to the configured outputs (Elasticsearch or Logstash). | Winlogbeat Overview (Winlogbeat docs) |
Monitor the status of your services
| Input | Description | Learn more |
|---|---|---|
synthetics/http | Connect via HTTP and optionally verify that the host returns the expected response. | HTTP options (Heartbeat docs) |
synthetics/icmp | Use ICMP (v4 and v6) Echo Requests to check the configured hosts. | ICMP options (Heartbeat docs) |
synthetics/tcp | Connect via TCP and optionally verify the endpoint by sending and/or receiving a custom payload. | TCP options (Heartbeat docs) |
View network traffic between the servers of your network
| Input | Description | Learn more |
|---|---|---|
packet | Sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. | Packetbeat overview (Packetbeat docs) |