Overview
Execbeat is the Beat used to execute any command. Multiple commands can be configured which are executed in a regular interval and the standard output and standard error is shipped to the configured output channel.
Execbeat is inspired by the Logstash exec input filter but doesn't require that the endpoint is reachable by Logstash as Execbeat pushes the data to Logstash or Elasticsearch. This is often necessary in security restricted network setups, where Logstash is not able to reach all servers. Instead the server to be monitored itself has Execbeat installed and can send the data or a collector server has Execbeat installed which is deployed in the secured network environment and can reach all servers to be monitored.
Ensure that this folder is at the following location:
${GOPATH}/src/github.com/christiangalsterer
Installation
Download
Pre-compiled binaries for different operating systems are available for download.
Installation
Install the package for your operation system by running the respective package manager or unzipping the package.
Configuration
Adjust the execbeat.yml configuration file to your needs. You may take execbeat.full.yml as an example containing all possible configuration values.
Running
In order to start Execbeat please use the respective startup script, e.g. /usr/bin/execbeat.sh.
Starting Execbeat as Service
Where supported Execbeat can be started also using the respetive service scripts, e.g. etc/init.d/execsbeat.
Building and Releasing Execbeat
Requirements
Build
To build the binary for execbeat run the command below. This will generate a binary in the same directory with the name execbeat.
make clean && make
Run
To run execbeat with debugging output enabled, run:
./execbeat -c execbeat.yml -e -d "*"
Test
To test execbeat, run the following command:
make testsuite
alternatively:
make unit-tests
make system-tests
make integration-tests
make coverage-report
The test coverage is reported in the folder ./build/coverage/
Update
Each beat has a template for the mapping in elasticsearch and a documentation for the fields
which is automatically generated based on etc/fields.yml.
To generate etc/execbeat.template.json and etc/execbeat.asciidoc
make update
Cleanup
To clean execbeat source code, run the following commands:
make check
make simplify
To clean up the build directory and generated artifacts, run:
make clean
Clone
To clone execbeat from the git repository, run the following commands:
mkdir -p ${GOPATH}/github.com/christiangalsterer
cd ${GOPATH}/github.com/christiangalsterer
git clone https://github.com/christiangalsterer/execbeat
For further development, check out the beat developer guide.
Packaging
The beat frameworks provides tools to crosscompile and package your beat for different platforms. This requires docker and vendoring as described above. To build packages of your beat, run the following command:
make package
This will fetch and create all images required for the build process. The complete process to finish can take several minutes.
Releases
3.3.0 (2017-10-06) Download
Feature and Bugfix release containing the following changes:
- Update to beats v5.6.2
3.2.0 (2017-06-05) Download
Feature and bugfix release containing the following changes:
3.1.1 (2017-02-24) Download
Bugfix release containing the following changes:
3.1.0 (2017-02-23) Download
Feature and bugfix release containing the following changes:
- The exit code of the command executed is now exported in field
exitCode. - Fix: Examples were not fully updated with configuration changes introduced in 3.0.0.
3.0.1 (2017-02-21) Download
Bugfix release containing the following changes:
3.0.0 (2017-02-19) Download
Feature and bugfix release containing the following breaking changes:
- Renamed configuration parameter
execstocommands. Please update your configuration accordingly. - Renamed configuration parameter
crontoschedule. Please update your configuration accordingly. - Update to beats v5.2.1
- Fix: Default schedule not working
2.2.0 (2017-02-04) Download
Feature release containing the following changes:
- Update to beats v5.2.0
2.1.1 (2017-01-14) Download
Starting with this release pre-compiled binaries for different operating systems are available under the respective tag in the github project.
Bugfix release containing the following changes:
- Move files into correct place to allow correct bulding with
make package - Move files into correct place to allow correct bulding with
make update - Cleanup of documentation
- Update to beats v5.1.2
- Update to Go 1.7.4
2.1.0 (2016-12-23)
Feature release containing the following changes:
- Update to beats v5.1.1
2.0.0 (2016-11-26)
Feature release containing the following changes:
- Update to beats v5.0.1
Please note that this release contains the following breaking changes introduced by beats 5.0.X, see also Beats Changelog
- SSL Configuration
- rename tls configurations section to ssl
- rename certificate_key configuration to key.
- replace tls.insecure with ssl.verification_mode setting.
- replace tls.min/max_version with ssl.supported_protocols setting requiring full protocol name
1.1.0 (2016-07-19)
Feature release containing the following changes:
- Update to Go 1.6
- Update to libbeat 1.2.3
- Use Glide for dependency management
1.0.1 (2016-02-15)
Bugfix release containing the following changes:
1.0.0 (2015-12-26)
- Initial release
Configuration
Configuration Options
See here for more information.
Exported Document Types
There is exactly one document type exported:
type: execbeatcommand execution information, e.g. standard output and standard error. The type can be changed by setting the document_type attribute.
Exported Fields
See here for a detailed description of all exported fields.
execbeat type
{
"_index": "execbeat-2015.12.26",
"_type": "execbeat",
"_source": {
"@timestamp": "2015-12-26T02:18:53.001Z",
"beat": {
"hostname": "mbp.box",
"name": "mbp.box"
},
"count": 1,
"fields": {
"host": "test"
},
"exec": {
"command": "echo",
"exitCode": 0,
"stdout": "Hello World\n"
},
"fields": {
"host": "test2"
},
"type": "execbeat"
},
"sort": [
1449314173
]
}
Elasticsearch Template
To apply the Execbeat template:
curl -XPUT 'http://localhost:9200/_template/execbeat' -d@etc/execbeat.template.json
Contribution
All sorts of contributions are welcome. Please create a pull request and/or issue.