/
0002-kafka-input.conf
25 lines (24 loc) · 1.4 KB
/
0002-kafka-input.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# HELK Kafka input conf file
# HELK build Stage: Alpha
# Author: Roberto Rodriguez (@Cyb3rWard0g), Nate Guagenti (@neu5ron)
# License: GPL-3.0
input {
kafka {
bootstrap_servers => "helk-kafka-broker:9092"
topics => ["winlogbeat","winevent","SYSMON_JOIN","filebeat"]
decorate_events => true
codec => "json"
#max_poll_records => 500
############################# HELK Kafka Group Consumption #############################
# Enable logstash to not continuously restart consumption of docs/logs it already has. However if you need it to, then change the 'group_id' value to something else (ex: could be a simple value like '100_helk_logstash')
enable_auto_commit => true
# During group_id or client_id changes, the kafka client will consume from earliest document so as not to lose data
auto_offset_reset => "earliest"
# If you have multiple logstash instances, this is your ID so that each instance consumes a slice of the Kafka pie.
# No need to change this unless you know what your doing and for some reason have the need
group_id => "helk_logstash"
# Change to number of Kafka partitions, only change/set if scaling on large environment & customized your Kafka partitions
# Default value is 1, read documentation for more info: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-kafka.html#plugins-inputs-kafka-consumer_threads
consumer_threads => 2
}
}