Execbeat is the Beat used to execute any command. Multiple commands can be configured which are executed in a regular interval and the standard output and standard error is shipped to the configured output channel.
Execbeat is inspired by the Logstash exec input filter but doesn't require that the endpoint is reachable by Logstash as Execbeat pushes the data to Logstash or Elasticsearch. This is often necessary in security restricted network setups, where Logstash is not able to reach all servers. Instead the server to be monitored itself has Execbeat installed and can send the data or a collector server has Execbeat installed which is deployed in the secured network environment and can reach all servers to be monitored.
Ensure that this folder is at the following location:
${GOPATH}/src/github.com/edgarm1964
Execbeat is built against the following Beats versions and if execbeat was able to connect to a running Elastic Search instance or not.
Build against | Connect to ES 6.5.1 | ES 6.8.0 | ES 7.0.0 | ES 7.1.1 | ES 7.2.0 |
---|---|---|---|---|---|
Beats 6.5.1 | OK | OK | Fails | N/T | N/T |
Beats 6.8.0 | OK | OK | OK | OK | OK |
Beats 6.8.1 | OK | OK | OK | OK | OK |
Beats 7.0.0 | OK | OK | OK | OK | OK |
Beats 7.1.1 | OK | OK | OK | OK | OK |
Beats 7.2.0 | OK | OK | OK | OK | OK |
N/T: Not Tested
Pre-compiled binaries for different operating systems are available for download.
Install the package for your operation system by running the respective package manager or unzipping the package.
Adjust the execbeat.yml
configuration file to your needs. You may take execbeat.reference.yml
as an example containing all possible configuration values. The output of the executed command is stored in the strings stdout
and stderr,
The exit code is stored in extiCode.
The command itself is stored in command.
All fields can be accessed using the processors
Beats provides. See Decode JSON fields example
The list is a YAML array, so each command begins with a dash (-
). You can specify multiple commands, and you can specify the same command type more than once. For example:
execbeat.commands:
- command: date
period: 2m
args: '+%Y%m%dT%H%M%S'
fields:
app: MyApplication
env: test
fields_under_root: true
If a command returns a JSON formatted string, it is possible to use processors to split the fields of such a string into separate fields. Example:
execbeat.commands:
- command: /usr/local/bin/a-json-script.sh
period: 5m
# args:
processors:
- decode_json_fields:
fields: ["stdout"]
process_array: true
max_depth: 1
target: ""
overwrite_keys: false
Visit processors for more information on processors and their use.
In order to start Execbeat please use the respective startup script, e.g. /usr/bin/execbeat.sh
. For more information, run execbeat --help
Where supported Execbeat can be started also using the respetive service scripts, e.g. etc/init.d/execbeat
.
To build the binary for execbeat run the command below. This will generate a binary in the same directory with the name execbeat.
make clean && make
To run execbeat with debugging output enabled, run:
./execbeat -c execbeat.yml -e -d '*'
To test execbeat, run the following command:
make testsuite
alternatively:
make unit-tests
make system-tests
make integration-tests
make coverage-report
The test coverage is reported in the folder ./build/coverage/
Each beat has a template for the mapping in elasticsearch and a documentation for the fields
which is automatically generated based on _meta/fields.yml
.
To generate docs/execbeat.template.json and docs/execbeat.asciidoc
make update
To clean execbeat source code, run the following commands:
make check
make simplify
To clean up the build directory and generated artifacts, run:
make clean
To clone execbeat from the git repository, run the following commands:
mkdir -p ${GOPATH}/github.com/edgarm1964
cd ${GOPATH}/github.com/edgarm1964
git clone https://github.com/edgarm1964/execbeat
For further development, check out the beat developer guide.
The beat frameworks provides tools to crosscompile and package your beat for different platforms. This requires docker and vendoring as described above. To build packages of your beat, run the following command:
make release
This will fetch and create all images required for the build process. The complete process to finish can take several minutes.
7.2.0 (2019-07-15) Download
Feature and Bugfix release containing the following changes:
- Update to beats v7.2.0
7.1.1 (2019-07-15) Download
Feature and Bugfix release containing the following changes:
- Update to beats v7.1.1
7.0.0 (2019-07-11) Download
Feature and Bugfix release containing the following changes:
- Update to beats v7.0.0
6.8.1 (2019-07-08) Download
Feature and Bugfix release containing the following changes:
- Update to beats v6.8.1
6.8.0 (2019-06-20) Download
Feature and Bugfix release containing the following changes:
- Update to beats v6.8.0
6.5.1 (2019-06-20) Download
Feature and Bugfix release containing the following changes:
- Update to beats v6.5.1
- Redesigned from the ground up following the Creating a New Beat guide
- execbeat.yml is incompatible with the ones from previous versions: change 'schedule' into 'period'
3.3.0 (2017-10-06) Download
Feature and Bugfix release containing the following changes:
- Update to beats v5.6.2
3.2.0 (2017-06-05) Download
Feature and bugfix release containing the following changes:
3.1.1 (2017-02-24) Download
Bugfix release containing the following changes:
3.1.0 (2017-02-23) Download
Feature and bugfix release containing the following changes:
- The exit code of the command executed is now exported in field
exitCode
. - Fix: Examples were not fully updated with configuration changes introduced in 3.0.0.
3.0.1 (2017-02-21) Download
Bugfix release containing the following changes:
3.0.0 (2017-02-19) Download
Feature and bugfix release containing the following breaking changes:
- Renamed configuration parameter
execs
tocommands
. Please update your configuration accordingly. - Renamed configuration parameter
cron
toschedule
. Please update your configuration accordingly. - Update to beats v5.2.1
- Fix: Default schedule not working
2.2.0 (2017-02-04) Download
Feature release containing the following changes:
- Update to beats v5.2.0
2.1.1 (2017-01-14) Download
Starting with this release pre-compiled binaries for different operating systems are available under the respective tag in the github project.
Bugfix release containing the following changes:
- Move files into correct place to allow correct bulding with
make package
- Move files into correct place to allow correct bulding with
make update
- Cleanup of documentation
- Update to beats v5.1.2
- Update to Go 1.7.4
Feature release containing the following changes:
- Update to beats v5.1.1
Feature release containing the following changes:
- Update to beats v5.0.1
Please note that this release contains the following breaking changes introduced by beats 5.0.X, see also Beats Changelog
- SSL Configuration
- rename tls configurations section to ssl
- rename certificate_key configuration to key.
- replace tls.insecure with ssl.verification_mode setting.
- replace tls.min/max_version with ssl.supported_protocols setting requiring full protocol name
Feature release containing the following changes:
- Update to Go 1.6
- Update to libbeat 1.2.3
- Use Glide for dependency management
Bugfix release containing the following changes:
- Initial release
See here for more information.
There is exactly one document type exported:
type: execbeat
command execution information, e.g. standard output and standard error. The type can be changed by setting the document_type attribute.
See here for a detailed description of all exported fields.
{ "_index": "execbeat-2015.12.26", "_type": "execbeat", "_source": { "@timestamp": "2015-12-26T02:18:53.001Z", "beat": { "hostname": "mbp.box", "name": "mbp.box" }, "count": 1, "fields": { "host": "test" }, "exec": { "command": "echo", "exitCode": 0, "stdout": "Hello World\n" }, "fields": { "host": "test2" }, "type": "execbeat" }, "sort": [ 1449314173 ] }
To apply the Execbeat template:
curl -XPUT 'http://localhost:9200/_template/execbeat' -d@etc/execbeat.template.json
All sorts of contributions are welcome. Please create a pull request and/or issue.