Configure inputs

To configure Filebeat manually (instead of using modules), you specify a list of inputs in the filebeat.inputs section of the filebeat.yml. Inputs specify how Filebeat locates and processes input data.

The list is a YAML array, so each input begins with a dash (-). You can specify multiple inputs, and you can specify the same input type more than once. For example:

filebeat.inputs:
- type: filestream
  id: my-filestream-id 1
  paths:
    - /var/log/system.log
    - /var/log/wifi.log
- type: filestream
  id: apache-filestream-id
  paths:
    - "/var/log/apache2/*"
  fields:
    apache: true
  fields_under_root: true

1. Each filestream input must have a unique ID to allow tracking the state of files.

For the most basic configuration, define a single input with a single path. For example:

filebeat.inputs:
- type: filestream
  id: my-filestream-id
  paths:
    - /var/log/*.log

The input in this example harvests all files in the path /var/log/*.log, which means that Filebeat will harvest all files in the directory /var/log/ that end with .log. All patterns supported by Go Glob are also supported here.

To fetch all files from a predefined level of subdirectories, use this pattern: /var/log/*/*.log. This fetches all .log files from the subfolders of /var/log. It does not fetch log files from the /var/log folder itself. Currently it is not possible to recursively fetch all files in all subdirectories of a directory.

You can configure Filebeat to use the following inputs:

• AWS CloudWatch
• AWS S3
• Azure Event Hub
• Azure Blob Storage
• Benchmark
• CEL
• Cloud Foundry
• CometD
• Container
• Entity Analytics
• ETW
• filestream
• GCP Pub/Sub
• Google Cloud Storage
• HTTP Endpoint
• HTTP JSON
• journald
• Kafka
• Log (deprecated in 7.16.0, use filestream)
• MQTT
• NetFlow
• Office 365 Management Activity API
• Redis
• Salesforce
• Stdin
• Streaming
• Syslog
• TCP
• UDP
• Unified Logs
• Unix
• winlog