diff --git a/docs/copied-from-beats/docs/command-reference.asciidoc b/docs/copied-from-beats/docs/command-reference.asciidoc index 3c393a3d332..fbce53a8421 100644 --- a/docs/copied-from-beats/docs/command-reference.asciidoc +++ b/docs/copied-from-beats/docs/command-reference.asciidoc @@ -704,12 +704,10 @@ the end of the file is reached. By default harvesters are closed after `close_inactive` is reached. endif::[] -ifeval::["{beatname_lc}"=="metricbeat"] *`--system.hostfs MOUNT_POINT`*:: -Specifies the mount point of the host's filesystem for use in monitoring a host -from within a container. -endif::[] +Specifies the mount point of the host's filesystem for use in monitoring a host. + ifeval::["{beatname_lc}"=="packetbeat"] *`-t`*:: diff --git a/docs/copied-from-beats/docs/loggingconfig.asciidoc b/docs/copied-from-beats/docs/loggingconfig.asciidoc index 2d2e9eaa065..dabece8e98f 100644 --- a/docs/copied-from-beats/docs/loggingconfig.asciidoc +++ b/docs/copied-from-beats/docs/loggingconfig.asciidoc @@ -156,6 +156,12 @@ To see which selectors are available, run {beatname_uc} in debug mode after the log level and is enclosed in brackets. ===== +To configure multiple selectors, use the following {beats-ref}/config-file-format.html[YAML list syntax]: +["source","yaml",subs="attributes"] +---- +logging.selectors: [ harvester, input ] +---- + ifndef::serverless[] To override selectors at the command line, use the `-d` global flag (`-d` also sets the debug log level). For more information, see <>. @@ -164,10 +170,11 @@ endif::serverless[] [float] ==== `logging.metrics.enabled` -If enabled, {beatname_uc} periodically logs its internal metrics that have +By default, {beatname_uc} periodically logs its internal metrics that have changed in the last period. For each metric that changed, the delta from the value at the beginning of the period is logged. Also, the total values for all -non-zero internal metrics are logged on shutdown. The default is true. +non-zero internal metrics are logged on shutdown. Set this to false to disable +this behavior. The default is true. Here is an example log line: @@ -249,7 +256,8 @@ When true, logs messages in JSON format. The default is false. [float] ==== `logging.ecs` -When true, logs messages in Elastic Common Schema (ECS) compliant format. +When true, logs messages with minimal required Elastic Common Schema (ECS) +information. ifndef::serverless[] [float] diff --git a/docs/copied-from-beats/docs/monitoring/monitoring-metricbeat.asciidoc b/docs/copied-from-beats/docs/monitoring/monitoring-metricbeat.asciidoc index d0cf30c9ed5..47168cc1870 100644 --- a/docs/copied-from-beats/docs/monitoring/monitoring-metricbeat.asciidoc +++ b/docs/copied-from-beats/docs/monitoring/monitoring-metricbeat.asciidoc @@ -83,6 +83,32 @@ For more information, see <>. -- +. Configure host (optional). + ++ +-- +// tag::set-http-host[] +If you intend to get metrics using {metricbeat} installed on another server, you need to bind the {beatname_uc} to host's IP: + +[source,yaml] +---------------------------------- +http.host: xxx.xxx.xxx.xxx +---------------------------------- +// end::set-http-host[] +-- + +. Configure cluster uuid (optional). + ++ +-- +// tag::set-cluster-uuid[] +To see the Beats monitoring section in Kibana if you have a cluster, you need to associate the {beatname_uc} with cluster UUID: + +[source,yaml] +---------------------------------- +monitoring.cluster_uuid: "cluster-uuid" +---------------------------------- +// end::set-cluster-uuid[] +-- + ifndef::serverless[] . Start {beatname_uc}. endif::[] diff --git a/docs/copied-from-beats/docs/shared-docker.asciidoc b/docs/copied-from-beats/docs/shared-docker.asciidoc index b943a58785f..6b73a6d90a7 100644 --- a/docs/copied-from-beats/docs/shared-docker.asciidoc +++ b/docs/copied-from-beats/docs/shared-docker.asciidoc @@ -5,13 +5,13 @@ Docker images for {beatname_uc} are available from the Elastic Docker registry. The base image is https://hub.docker.com/_/centos/[centos:7]. A list of all published Docker images and tags is available at -https://www.docker.elastic.co[www.docker.elastic.co]. +https://www.docker.elastic.co[www.docker.elastic.co]. -These images are free to use under the Elastic license. They contain open source -and free commercial features and access to paid commercial features. -{kibana-ref}/managing-licenses.html[Start a 30-day trial] to try out all of the -paid commercial features. See the -https://www.elastic.co/subscriptions[Subscriptions] page for information about +These images are free to use under the Elastic license. They contain open source +and free commercial features and access to paid commercial features. +{kibana-ref}/managing-licenses.html[Start a 30-day trial] to try out all of the +paid commercial features. See the +https://www.elastic.co/subscriptions[Subscriptions] page for information about Elastic license levels. ==== Pull the image @@ -34,8 +34,8 @@ docker pull {dockerimage} ------------------------------------------------ Alternatively, you can download other Docker images that contain only features -available under the Apache 2.0 license. To download the images, go to -https://www.docker.elastic.co[www.docker.elastic.co]. +available under the Apache 2.0 license. To download the images, go to +https://www.docker.elastic.co[www.docker.elastic.co]. endif::[] @@ -129,7 +129,7 @@ endif::apm-server[] ==== Configure {beatname_uc} on Docker The Docker image provides several methods for configuring {beatname_uc}. The -conventional approach is to provide a configuration file via a volume mount, but +conventional approach is to provide a configuration file via a volume mount, but it's also possible to create a custom image with your configuration included. @@ -244,6 +244,7 @@ ifeval::["{beatname_lc}"=="apm-server"] ["source", "sh", subs="attributes"] -------------------------------------------- docker run -d \ + -p 8200:8200 \ --name={beatname_lc} \ --user={beatname_lc} \ --volume="$(pwd)/{beatname_lc}.docker.yml:/usr/share/{beatname_lc}/{beatname_lc}.yml:ro" \ diff --git a/docs/copied-from-beats/docs/shared-path-config.asciidoc b/docs/copied-from-beats/docs/shared-path-config.asciidoc index e6264dbca6f..33390ca7faa 100644 --- a/docs/copied-from-beats/docs/shared-path-config.asciidoc +++ b/docs/copied-from-beats/docs/shared-path-config.asciidoc @@ -106,3 +106,20 @@ Example: ------------------------------------------------------------------------------ path.logs: /var/log/beats ------------------------------------------------------------------------------ + +[float] +==== `system.hostfs` + +Specifies the mount point of the host's filesystem for use in monitoring a host. +This can either be set in the config, or with the `--system.hostfs` CLI flag. This is used for cgroup self-monitoring. +ifeval::["{beatname_lc}"=="metricbeat"] +This is also used by the system module to read files from `/proc` and `/sys`. +endif::[] + + +Example: + +[source,yaml] +------------------------------------------------------------------------------ +system.hostfs: /mount/rootfs +------------------------------------------------------------------------------ diff --git a/docs/copied-from-beats/docs/shared-ssl-config.asciidoc b/docs/copied-from-beats/docs/shared-ssl-config.asciidoc index ce573aae38d..ec0690397a5 100644 --- a/docs/copied-from-beats/docs/shared-ssl-config.asciidoc +++ b/docs/copied-from-beats/docs/shared-ssl-config.asciidoc @@ -87,25 +87,155 @@ Example module with SSL enabled: ---- endif::[] -[float] -=== Configuration options +There are a number of SSL configuration options available to you: + +* <> +* <> +* <> + +[discrete] +[[ssl-common-config]] +=== Common configuration options -You can specify the following options in the `ssl` section of the +{beatname_lc}.yml+ config file: +Common SSL configuration options can be used in both client and server configurations. +You can specify the following options in the `ssl` section of each subsystem that +supports SSL. [float] +[[enabled]] ==== `enabled` -The `enabled` setting can be used to disable the ssl configuration by setting -it to `false`. The default value is `true`. +To disable SSL configuration, set the value to `false`. The default value is `true`. -NOTE: SSL settings are disabled if either `enabled` is set to `false` or the +[NOTE] +===== +SSL settings are disabled if either `enabled` is set to `false` or the `ssl` section is missing. +===== + +[float] +[[supported-protocols]] +==== `supported_protocols` + +List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions +not configured, the connection will be dropped during or after the handshake. The +setting is a list of allowed protocol versions: +`SSLv3`, `TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and +`TLSv1.3`. + +The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`. + +[float] +[[cipher-suites]] +==== `cipher_suites` + +The list of cipher suites to use. The first entry has the highest priority. +If this option is omitted, the Go crypto library's https://golang.org/pkg/crypto/tls/[default suites] +are used (recommended). Note that TLS 1.3 cipher suites are not +individually configurable in Go, so they are not included in this list. + +// tag::cipher_suites[] +The following cipher suites are available: + +[options="header"] +|=== +| Cypher | Notes +| ECDHE-ECDSA-AES-128-CBC-SHA | +| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-ECDSA-AES-256-CBC-SHA | +| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. +| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| ECDHE-RSA-3DES-CBC3-SHA | +| ECDHE-RSA-AES-128-CBC-SHA | +| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| ECDHE-RSA-AES-256-CBC-SHA | +| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. +| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +| RSA-3DES-CBC3-SHA | +| RSA-AES-128-CBC-SHA | +| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. +| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. +| RSA-AES-256-CBC-SHA | +| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. +| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. +|=== + +Here is a list of acronyms used in defining the cipher suites: + +* 3DES: + Cipher suites using triple DES + +* AES-128/256: + Cipher suites using AES with 128/256-bit keys. + +* CBC: + Cipher using Cipher Block Chaining as block cipher mode. + +* ECDHE: + Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange. + +* ECDSA: + Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication. + +* GCM: + Galois/Counter mode is used for symmetric key cryptography. + +* RC4: + Cipher suites using RC4. + +* RSA: + Cipher suites using RSA. + +* SHA, SHA256, SHA384: + Cipher suites using SHA-1, SHA-256 or SHA-384. +// end::cipher_suites[] [float] +[[curve-types]] +==== `curve_types` + +The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange). + +The following elliptic curve types are available: + +* P-256 +* P-384 +* P-521 +* X25519 + +[float] +[[ca-sha256]] +==== `ca_sha256` + +This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain. + +The pin is a base64 encoded string of the SHA-256 of the certificate. + +NOTE: This check is not a replacement for the normal SSL validation, but it adds additional validation. +If this option is used with `verification_mode` set to `none`, the check will always fail because +it will not receive any verified chains. + +[discrete] +[[ssl-client-config]] +=== Client configuration options + +You can specify the following options in the `ssl` section of each subsystem that +supports SSL. + +[float] +[[client-certificate-authorities]] ==== `certificate_authorities` -The list of root certificates for server verifications. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used. If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. -By default you can specify a list of file that +{beatname_lc} will read, but you can also embed a certificate directly in the `YAML` configuration: +The list of root certificates for verifications is required. If `certificate_authorities` is empty or not set, the +system keystore is used. If `certificate_authorities` is self-signed, the host system +needs to trust that CA cert as well. + +By default you can specify a list of files that +{beatname_lc}+ will read, but you +can also embed a certificate directly in the `YAML` configuration: [source,yaml] ---- @@ -133,16 +263,17 @@ certificate_authorities: ---- [float] -[[certificate]] +[[client-certificate]] ==== `certificate: "/etc/pki/client/cert.pem"` -The path to the certificate for SSL client authentication. If the certificate +The path to the certificate for SSL client authentication is only required if +`client_authentication` is specified. If the certificate is not specified, client authentication is not available. The connection might fail if the server requests client authentication. If the SSL server does not require client authentication, the certificate will be loaded, but not requested or used by the server. -When this option is configured, the <> option is also required. +When this option is configured, the <> option is also required. The certificate option support embedding of the certificate: [source,yaml] @@ -169,13 +300,12 @@ certificate: | -----END CERTIFICATE----- ---- - [float] -[[key]] +[[client-key]] ==== `key: "/etc/pki/client/cert.key"` -The client certificate key used for client authentication. This option is required if <> is specified. -The key option support embedding of the private key: +The client certificate key used for client authentication and is only required +if `client_authentication` is configured. The key option support embedding of the private key: [source,yaml] ---- @@ -211,153 +341,230 @@ key: | ---- [float] +[[client-key-passphrase]] ==== `key_passphrase` The passphrase used to decrypt an encrypted key stored in the configured `key` file. -[float] -==== `supported_protocols` - -List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions -not configured, the connection will be dropped during or after the handshake. The -setting is a list of allowed protocol versions: -`SSLv3`, `TLSv1` for TLS version 1.0, `TLSv1.0`, `TLSv1.1`, `TLSv1.2`, and -`TLSv1.3`. - -The default value is `[TLSv1.1, TLSv1.2, TLSv1.3]`. [float] +[[client-verification-mode]] ==== `verification_mode` -Controls the verification of certificates. Valid values are: +Controls the verification of server certificates. Valid values are: - * `full`, which verifies that the provided certificate is signed by a trusted +`full`:: +Verifies that the provided certificate is signed by a trusted authority (CA) and also verifies that the server's hostname (or IP address) matches the names identified within the certificate. - * `certificate`, which verifies that the provided certificate is signed by a + +`strict`:: +Verifies that the provided certificate is signed by a trusted +authority (CA) and also verifies that the server's hostname (or IP address) +matches the names identified within the certificate. If the Subject Alternative +Name is empty, it returns an error. + +`certificate`:: +Verifies that the provided certificate is signed by a trusted authority (CA), but does not perform any hostname verification. - * `none`, which performs _no verification_ of the server's certificate. This + +`none`:: +Performs _no verification_ of the server's certificate. This mode disables many of the security benefits of SSL/TLS and should only be used -after very careful consideration. It is primarily intended as a temporary +after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors; its use in production environments is strongly discouraged. - ++ The default value is `full`. -[float] -==== `cipher_suites` +[discrete] +[[ssl-server-config]] +=== Server configuration options -The list of cipher suites to use. The first entry has the highest priority. -If this option is omitted, the Go crypto library's https://golang.org/pkg/crypto/tls/[default suites] -are used (recommended). Note that TLS 1.3 cipher suites are not -individually configurable in Go, so they are not included in this list. +You can specify the following options in the `ssl` section of each subsystem that +supports SSL. -// tag::cipher_suites[] -The following cipher suites are available: - -[options="header"] -|=== -| Cypher | Notes -| ECDHE-ECDSA-AES-128-CBC-SHA | -| ECDHE-ECDSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. -| ECDHE-ECDSA-AES-128-GCM-SHA256 | TLS 1.2 only. -| ECDHE-ECDSA-AES-256-CBC-SHA | -| ECDHE-ECDSA-AES-256-GCM-SHA384 | TLS 1.2 only. -| ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 only. -| ECDHE-ECDSA-RC4-128-SHA | Disabled by default. RC4 not recommended. -| ECDHE-RSA-3DES-CBC3-SHA | -| ECDHE-RSA-AES-128-CBC-SHA | -| ECDHE-RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. -| ECDHE-RSA-AES-128-GCM-SHA256 | TLS 1.2 only. -| ECDHE-RSA-AES-256-CBC-SHA | -| ECDHE-RSA-AES-256-GCM-SHA384 | TLS 1.2 only. -| ECDHE-RSA-CHACHA20-POLY1205 | TLS 1.2 only. -| ECDHE-RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. -| RSA-3DES-CBC3-SHA | -| RSA-AES-128-CBC-SHA | -| RSA-AES-128-CBC-SHA256 | TLS 1.2 only. Disabled by default. -| RSA-AES-128-GCM-SHA256 | TLS 1.2 only. -| RSA-AES-256-CBC-SHA | -| RSA-AES-256-GCM-SHA384 | TLS 1.2 only. -| RSA-RC4-128-SHA | Disabled by default. RC4 not recommended. -|=== +[float] +[[server-certificate-authorities]] +==== `certificate_authorities` -Here is a list of acronyms used in defining the cipher suites: +The list of root certificates for client verifications is only required if +`client_authentication` is configured. If `certificate_authorities` is empty or not set, and +`client_authentication` is configured, the system keystore is used. -* 3DES: - Cipher suites using triple DES +If `certificate_authorities` is self-signed, the host system needs to trust that CA cert as well. +By default you can specify a list of files that +{beatname_lc}+ will read, but you can also embed a certificate +directly in the `YAML` configuration: -* AES-128/256: - Cipher suites using AES with 128/256-bit keys. +[source,yaml] +---- +certificate_authorities: + - | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +---- -* CBC: - Cipher using Cipher Block Chaining as block cipher mode. +[float] +[[server-certificate]] +==== `certificate: "/etc/pki/server/cert.pem"` -* ECDHE: - Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange. +For server authentication, the path to the SSL authentication certificate must +be specified for TLS. If the certificate is not specified, startup will fail. -* ECDSA: - Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication. +When this option is configured, the <> option is also required. +The certificate option support embedding of the certificate: -* GCM: - Galois/Counter mode is used for symmetric key cryptography. +[source,yaml] +---- +certificate: | + -----BEGIN CERTIFICATE----- + MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + sxSmbIUfc2SGJGCJD4I= + -----END CERTIFICATE----- +---- -* RC4: - Cipher suites using RC4. +[float] +[[server-key]] +==== `key: "/etc/pki/server/cert.key"` -* RSA: - Cipher suites using RSA. +The server certificate key used for authentication is required. +The key option support embedding of the private key: -* SHA, SHA256, SHA384: - Cipher suites using SHA-1, SHA-256 or SHA-384. -// end::cipher_suites[] +[source,yaml] +---- +key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI + sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP + Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F + KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2 + MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z + HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ + nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx + Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0 + eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/ + Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM + epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve + Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn + BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8 + VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU + zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5 + GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA + 5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7 + TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF + hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li + e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze + Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T + kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+ + kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav + NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K + 0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc + nygO9KTJuUiBrLr0AHEnqko= + -----END PRIVATE KEY----- +---- [float] -==== `curve_types` +[[server-key-passphrase]] +==== `key_passphrase` -The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange). +The passphrase is used to decrypt an encrypted key stored in the configured `key` file. -The following elliptic curve types are available: +[float] +[[server-verification-mode]] +==== `verification_mode` -* P-256 -* P-384 -* P-521 -* X25519 +Controls the verification of client certificates. Valid values are: -[float] -==== `renegotiation` +`full`:: +Verifies that the provided certificate is signed by a trusted +authority (CA) and also verifies that the server's hostname (or IP address) +matches the names identified within the certificate. -This configures what types of TLS renegotiation are supported. The valid options -are `never`, `once`, and `freely`. The default value is never. +`strict`:: +Verifies that the provided certificate is signed by a trusted +authority (CA) and also verifies that the server's hostname (or IP address) +matches the names identified within the certificate. If the Subject Alternative +Name is empty, it returns an error. -* `never` - Disables renegotiation. -* `once` - Allows a remote server to request renegotiation once per connection. -* `freely` - Allows a remote server to repeatedly request renegotiation. +`certificate`:: +Verifies that the provided certificate is signed by a +trusted authority (CA), but does not perform any hostname verification. +`none`:: +Performs _no verification_ of the server's certificate. This +mode disables many of the security benefits of SSL/TLS and should only be used +after cautious consideration. It is primarily intended as a temporary +diagnostic mechanism when attempting to resolve TLS errors; its use in +production environments is strongly discouraged. ++ +The default value is `full`. [float] -==== `ca_sha256` +[[server-renegotiation]] +==== `renegotiation` -This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain. +This configures what types of TLS renegotiation are supported. The valid options +are: -The pin is a base64 encoded string of the SHA-256 of the certificate. +`never`:: +Disables renegotiation. -NOTE: This check is not a replacement for the normal SSL validation, but it adds additional validation. -If this option is used with `verification_mode` set to `none`, the check will always fail because -it will not receive any verified chains. +`once`:: +Allows a remote server to request renegotiation once per connection. +`freely`:: +Allows a remote server to request renegotiation repeatedly. ++ +The default value is `never`. ifeval::["{beatname_lc}" == "filebeat"] [float] +[[server-client-renegotiation]] ==== `client_authentication` -This configures what types of client authentication are supported. The valid options -are `none`, `optional`, and `required`. When `certificate_authorities` is set it will -default to `required` otherwise it will be set to `none`. +The type of client authentication mode. When `certificate_authorities` is set, it +defaults to `required`. Otherwise, it defaults to `none`. + +The valid options are: + +`none`:: +Disables client authentication. -NOTE: This option is only valid with the TCP or the Syslog input. +`optional`:: +When a client certificate is supplied, the server will verify it. -* `none` - Disables client authentication. -* `optional` - When a client certificate is given, the server will verify it. -* `required` - Will require clients to provide a valid certificate. +`required`:: +Will require clients to provide a valid certificate. endif::[] diff --git a/docs/copied-from-beats/outputs/kafka/docs/kafka.asciidoc b/docs/copied-from-beats/outputs/kafka/docs/kafka.asciidoc index e1dcb77b6bb..026d0431345 100644 --- a/docs/copied-from-beats/outputs/kafka/docs/kafka.asciidoc +++ b/docs/copied-from-beats/outputs/kafka/docs/kafka.asciidoc @@ -5,14 +5,6 @@ Kafka ++++ -[IMPORTANT] -.Known issue in version 7.8.0 -==== -The Kafka output fails to connect when using multiple TLS brokers. We advise -not to upgrade to {beatname_uc} 7.8.0 if you're using the Kafka output in this -configuration. -==== - The Kafka output sends events to Apache Kafka. To use this output, edit the {beatname_uc} configuration file to disable the {es} @@ -79,12 +71,29 @@ See <> for information on supported versions. ===== `username` The username for connecting to Kafka. If username is configured, the password -must be configured as well. Only SASL/PLAIN is supported. +must be configured as well. ===== `password` The password for connecting to Kafka. +===== `sasl.mechanism` + +beta[] + +The SASL mechanism to use when connecting to Kafka. It can be one of: + +* `PLAIN` for SASL/PLAIN. +* `SCRAM-SHA-256` for SCRAM-SHA-256. +* `SCRAM-SHA-512` for SCRAM-SHA-512. + +If `sasl.mechanism` is not set, `PLAIN` is used if `username` and `password` +are provided. Otherwise, SASL authentication is disabled. + +To use `GSSAPI` mechanism to authenticate with Kerberos, you must leave this +field empty, and use the <> options. + + [[topic-option-kafka]] ===== `topic` @@ -300,6 +309,12 @@ The ACK reliability level required from broker. 0=no response, 1=wait for local Note: If set to 0, no ACKs are returned by Kafka. Messages might be lost silently on error. +===== `enable_krb5_fast` + +beta[] + +Enable Kerberos FAST authentication. This may conflict with some Active Directory installations. It is separate from the standard Kerberos settings because this flag only applies to the Kafka output. The default is `false`. + ===== `ssl` Configuration options for SSL parameters like the root CA for Kafka connections. @@ -308,6 +323,7 @@ Configuration options for SSL parameters like the root CA for Kafka connections. https://github.com/Shopify/sarama/wiki/Frequently-Asked-Questions#why-cant-sarama-connect-to-my-kafka-cluster-using-ssl[Filebeat's Kafka library]. See <> for more information. +[[kerberos-option-kafka]] ===== `kerberos` beta[]