.. _Input: Input modules ============= Beats ----- Reads data from elastic beats client, i.e. filebeats, and sends it to its outputs. | **interface**: Ipaddress to listen on. | **port**: Port to listen on. | **timeout**: Sockettimeout in seconds. | **tls**: Use tls or not. | **key**: Path to tls key file. | **cert**: Path to tls cert file. | **cacert**: Path to ca cert file. | **tls_proto**: Set TLS protocol version. | **max_buffer_size**: Max kilobytes to in receiving buffer. Configuration template: :: - input.Beats: interface: # port: # timeout: # tls: # key: # cert: # cacert: # tls_proto: # max_buffer_size: # receivers: - NextModule ElasticSearch ------------- Get documents from ElasticSearch. The elasticsearch module takes care of discovering all nodes of the elasticsearch cluster. Requests will the be loadbalanced via round robin. | **query**: The query to be executed, in json format. | **search_type**: The default search type just will return all found documents. If set to 'scan' it will return | 'batch_size' number of found documents, emit these as new events and then continue until all | documents have been sent. | **field_mappings**: Which fields from the result document to add to the new event. | If set to 'all' the whole document will be sent unchanged. | If a list is provided, these fields will be copied to the new event with the same field name. | If a dictionary is provided, these fields will be copied to the new event with a new field name. | E.g. if you want "_source.data" to be copied into the events "data" field, use a mapping like: | "{'_source.data': 'data'}. | For nested values use the dot syntax as described in: | http://lumbermill.readthedocs.org/en/latest/introduction.html#event-field-notation | **nodes**: Configures the elasticsearch nodes. | **read_timeout**: Set number of seconds to wait until requests to elasticsearch will time out. | **connection_type**: One of: 'thrift', 'http'. | **http_auth**: 'user:password'. | **use_ssl**: One of: True, False. | **index_name**: Sets the index name. Timepatterns like %Y.%m.%d are allowed here. | **sniff_on_start**: The client can be configured to inspect the cluster state to get a list of nodes upon startup. | Might cause problems on hosts with multiple interfaces. If connections fail, try to deactivate this. | **sniff_on_connection_fail**: The client can be configured to inspect the cluster state to get a list of nodes upon failure. | Might cause problems on hosts with multiple interfaces. If connections fail, try to deactivate this. | **query_interval_in_secs**: Get data to es in x seconds intervals. NOT YET IMPLEMENTED!! Configuration template: :: - input.ElasticSearch: query: # search_type: # batch_size: # field_mappings: # nodes: # read_timeout: # connection_type: # http_auth: # use_ssl: # index_name: # sniff_on_start: # sniff_on_connection_fail: # query_interval_in_secs: # receivers: - NextModule File ---- Read data from files. This module supports two modes: - cat: Just cat existing files. - tail: Follow changes in given files. | **paths**: An array of paths to scan for files. Can also point to a file directly. | **pattern**: Pattern the filenames need to match. E.g. '*.pdf', 'article*.xml' etc. | **recursive**: If set to true, scan paths recursively else only scan current dir. | **line_by_line**: If set to true, each line in a file will be emitted as single event. |If set to false, the whole file will be send as single event. |Only relevant for mode. | **separator**: Line separator. | **mode**: Mode will just dump out the current content of a file, will follow file changes. | **sincedb_path**: Path to a sqlite3 db file which stores the file position data since last poll. | **ignore_empty**: If True ignore empty files. | **ignore_truncate**: If True ignore truncation of files. | **sincedb_write_interval**: Number of seconds to pass between update of sincedb data. | **start_position**: Where to start in the file when tailing. | **stat_interval**: Number of seconds to pass before checking for file changes. | **size_limit**: Set maximum file size for files to watch. Files exeeding this limit will be ignored. TOOD!!! Configuration template: :: - input.File: paths: # pattern: # recursive: # line_by_line: # separator: # mode: # sincedb_path: # ignore_empty: # ignore_truncate: # sincedb_write_interval: # start_position: # stat_interval: # tail_lines: # size_limit: # multiline_regex_before: # multiline_regex_after: # encoding: # receivers: - NextModule Kafka ----- Simple kafka input. Configuration template: :: - input.Kafka: topic: # brokers: # client_id: # group_id: # fetch_min_bytes: # auto_offset_reset: # enable_auto_commit: # auto_commit_interval_ms: # consumer_timeout_ms: # receivers: - NextModule NmapScanner ----------- Scan network with nmap and emit result as new event. Configuration template: :: - input.NmapScanner: network: # netmask: # ports: # arguments: # interval: # receivers: - NextModule RedisChannel ------------ Subscribes to a redis channels and passes incoming events to receivers. | **channel**: Name of redis channel to subscribe to. | **channel_pattern**: Channel pattern with wildcards (see: https://redis.io/commands/psubscribe) for channels to subscribe to. | **server**: Redis server to connect to. | **port**: Port redis server is listening on. | **db**: Redis db. | **password**: Redis password. Configuration template: :: - input.RedisChannel: channel: # channel_pattern: # server: # port: # db: # password: # receivers: - NextModule RedisList --------- Subscribes to a redis channels/lists and passes incoming events to receivers. | **lists**: Name of redis lists to subscribe to. | **server**: Redis server to connect to. | **port**: Port redis server is listening on. | **batch_size**: Number of events to return from redis list. | **db**: Redis db. | **password**: Redis password. | **timeout**: Timeout in seconds. Configuration template: :: - input.RedisList: lists: # server: # port: # batch_size: # db: # password: # timeout: # receivers: - NextModule SQS --- Read messages from amazon sqs service. | **aws_access_key_id**: Your AWS id. | **aws_secret_access_key**: Your AWS password. | **region**: The region in which to find your sqs service. | **queue**: Queue name. | **attribute_names**: A list of attributes that need to be returned along with each message. | **message_attribute_names**: A list of message attributes that need to be returned. | **poll_interval_in_secs**: How often should the queue be checked for new messages. | **batch_size**: Number of messages to retrieve in one call. Configuration template: :: - input.SQS: aws_access_key_id: # aws_secret_access_key: # region: # queue: # attribute_names: # message_attribute_names: # poll_interval_in_secs: # batch_size: # receivers: - NextModule Sniffer ------- Sniff network traffic. Needs root privileges. Reason for using pcapy as sniffer lib: As Gambolputty is intended to be run with pypy, every module should be compatible with pypy. Creating a raw socket in pypy is no problem but it is (up to now) not possible to bind this socket to a selected interface, e.g. socket.bind(('lo', 0)) will throw "error: unknown address family". With pcapy this problem does not exist. Dependencies: - pcapy: pypy -m pip install pcapy Configuration template: :: - input.Sniffer: interface: # packetfilter: # promiscous: # key_value_store: # receivers: - NextModule Spam ---- Emits events as fast as possible. Use this module to load test LumberMill. Also nice for testing your regexes. The event field can either be a simple string. This string will be used to create a default lumbermill event dict. If you want to provide more custom fields, you can provide a dictionary containing at least a "data" field that should your raw event string. | **event**: Send custom event data. For single events, use a string or a dict. If a string is provided, the contents will be put into the events data field. if a dict is provided, the event will be populated with the dict fields. For multiple events, provide a list of stings or dicts. | **sleep**: Time to wait between sending events. | **events_count**: Only send configured number of events. 0 means no limit. Configuration template: :: - input.Spam: event: # sleep: # events_count: # receivers: - NextModule StdIn ----- Reads data from stdin and sends it to its output queues. Configuration template: :: - input.StdIn: multiline: # stream_end_signal: # receivers: - NextModule Tcp --- Reads data from tcp socket and sends it to its outputs. Should be the best choice perfomancewise if you are on Linux and are running with multiple workers. | **interface**: Ipaddress to listen on. | **port**: Port to listen on. | **timeout**: Sockettimeout in seconds. | **tls**: Use tls or not. | **key**: Path to tls key file. | **cert**: Path to tls cert file. | **cacert**: Path to ca cert file. | **tls_proto**: Set TLS protocol version. | **mode**: Receive mode, line or stream. | **simple_separator**: If mode is line, set separator between lines. | **regex_separator**: If mode is line, set separator between lines. Here regex can be used. The result includes the data that matches the regex. | **chunksize**: If mode is stream, set chunksize in bytes to read from stream. | **max_buffer_size**: Max kilobytes to in receiving buffer. Configuration template: :: - input.Tcp: interface: # port: # timeout: # tls: # key: # cert: # cacert: # tls_proto: # mode: # simple_separator: # regex_separator: # chunksize: # max_buffer_size: # receivers: - NextModule Udp --- Reads data from udp socket and sends it to its output queues. | **interface**: Ipaddress to listen on. | **port**: Port to listen on. | **timeout**: Sockettimeout in seconds. Configuration template: :: - input.Udp: interface: # port: # timeout: # receivers: - NextModule UnixSocket ---------- Reads data from an unix socket and sends it to its output queues. Configuration template: :: - input.UnixSocket: path_to_socket: # receivers: - NextModule ZeroMQ --- Read events from a zeromq. | **mode**: Whether to run a server or client. | **address**: Address to connect to. Pattern: hostname:port. If mode is server, this sets the addresses to listen on. | **pattern**: One of 'pull', 'sub'. | **hwm**: Highwatermark for sending/receiving socket. Configuration template: :: - input.ZeroMQ: mode: # address: # pattern: # topic: # hwm: # receivers: - NextModule ZmqTornado ---------- Read events from a zeromq. | **mode**: Whether to run a server or client. | **address**: Address to connect to. Pattern: hostname:port. If mode is server, this sets the addresses to listen on. | **pattern**: One of 'pull', 'sub'. | **hwm**: Highwatermark for sending/receiving socket. | **separator**: When using the sub pattern, messages can have a topic. Set separator to split message from topic. Configuration template: :: - input.ZmqTornado: mode: # address: # pattern: # topic: # separator: # hwm: # receivers: - NextModule