Collect metrics and logs from elastic beats, and monitor them with Axiom.
_time
or when you override the timestamp
field, use the query parameter ?timestamp-field
to set a field as the time field.add setup.ilm.enabled: false
to the filebeat.yml
configuration file.
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.C:\Program Files
.winlogbeat-$version
directory to Winlogbeatwinlogbeat.yml
file in C:\Program Files\Winlogbeat.
Edit the winlogbeat.yml
configuration file found in C:\Program Files\Winlogbeat
to send data to Axiom.
The winlogbeat.yml
file contains the configuration on which windows events and service it should monitor and the time required.
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.ignore_older
option in the Winlogbeat configuration is used to ignore older events.
Winlogbeat reads from the Windows event log system. When it starts up, it starts reading from a specific point in the event log. By default, Winlogbeat starts reading new events created after Winlogbeat started.
However, you might want Winlogbeat to read some older events as well. For instance, if you restart Winlogbeat, you might want it to continue where it left off, rather than skipping all the events that were created while it wasn’t running. In this case, you can use the ignore_older
option to specify how old events Winlogbeat should read. The ignore_older
option takes a duration as a value. Any events that are older than this duration are ignored. The duration is a string of a number followed by a unit. Units can be one of ms
(milliseconds), s
(seconds), m
(minutes), h
(hours) or d
(days).
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data..\winlogbeat.exe -c winlogbeat.yml
in the Winlogbeat installation directory.
winlogbeat.event_logs
configuration option.
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data..\winlogbeat.exe -c winlogbeat.yml
in the Winlogbeat installation directory.
For more information on Winlogbeat event logs, visit the Winlogbeat documentation.
icmp monitor
when you simply want to check whether a service is available. This monitor requires root access.via TCP.
You can optionally configure this monitor to verify the endpoint by sending and/or receiving a custom payload.via HTTP.
You can optionally configure this monitor to verify that the service returns the expected response, such as a specific status code, response header, or content.heartbeat.yml
, specify the list of monitors that you want to enable. Each item in the list begins with a dash (-).
The example below configures Heartbeat to use three monitors: an ICMP monitor, a TCP monitor, and an HTTP monitor deployed instantly to Axiom.
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.auditbeat.yml.
The example below configures Auditbeat to use the file_integrity
module configured to generate events whenever a file in one of the specified paths changes on disk. The events contains the file metadata and hashes, and it’s deployed instantly to Axiom.
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.packetbeat.yml
, configure the network devices and protocols to capture traffic from.
To see a list of available devices for packetbeat.yml
configuration , run:
OS type | Command |
---|---|
DEB | Run packetbeat devices |
RPM | Run packetbeat devices |
MacOS | Run ./packetbeat devices |
Brew | Run packetbeat devices |
Linux | Run ./packetbeat devices |
Windows | Run PS C:\Program Files\Packetbeat> .\packetbeat.exe devices |
pcap
af_packet
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.path
of your systemd journal files. Each path can be a directory path (to collect events from all journals in a directory), or a path configured to deploy logs instantly to Axiom.
AXIOM_DOMAIN
with api.axiom.co
if your organization uses the US region, and with api.eu.axiom.co
if your organization uses the EU region. For more information, see Regions.Replace API_TOKEN
with the Axiom API token you have generated. For added security, store the API token in an environment variable.Replace DATASET_NAME
with the name of the Axiom dataset where you want to send data.