Execbeat is the Beat used to execute any command. Multiple commands can be configured which are executed in a regular interval and the standard output and standard error is shipped to the configured output channel.
Execbeat is inspired by the Logstash exec input filter but doesn't require that the endpoint is reachable by Logstash as Execbeat pushes the data to Logstash or Elasticsearch. This is often necessary in security restricted network setups, where Logstash is not able to reach all servers. Instead the server to be monitored itself has Execbeat installed and can send the data or a collector server has Execbeat installed which is deployed in the secured network environment and can reach all servers to be monitored.
See here for more information.
There is exactly one document type exported:
type: execbeat
command execution information, e.g. standard output and standard error. The type can be changed by setting the document_type attribute.
See here for a detailed description of all exported fields.
{ "_index": "execbeat-2015.12.26", "_type": "execbeat", "_source": { "@timestamp": "2015-12-26T02:18:53.001Z", "beat": { "hostname": "mbp.box", "name": "mbp.box" }, "count": 1, "fields": { "host": "test" }, "exec": { "command": "echo", "stdout": "Hello World\n" }, "fields": { "host": "test2" }, "type": "execbeat" }, "sort": [ 1449314173 ] }
To apply the Execbeat template:
curl -XPUT 'http://localhost:9200/_template/execbeat' -d@etc/execbeat.template.json
# Build
GOPATH=<your go path> make execbeat
# Test
GOPATH=<your go path> make test
# Run
./execbeat -c /etc/execbeat/execbeat.yml
All sorts of contributions are welcome. Please create a pull request and/or issue.