Humio^™ > Integrations > Data Shippers > Elastic Beats

Humio & Elastic Beats

The OSS Elastic Beats are a great group of data shippers. They are cross-platform, lightweight, and can ship data to a number of tools including Humio as long as you stick to the OSS builds.

All Beats are built using the libbeat library. Along with the official Beats, there are a growing number of community Beats.

Available Beats

Starting from version 6.7.0 of the libbeat only the OSS versions can ship to Humio. The non-OSS Beats check that the server is a licensed elastic server due to this change to the beats client library: “Check license x-pack”

There are currently five official Beats. The Elastic documentation site and Humio’s documentation offer resources that describe how to use each of them.

Filebeat — Ships regular log files
- Get Started
- Humio’s Filebeat documentation
Metricbeat — Ships metrics from your OS and common services
- Get Started
- Humio’s Metricbeat documentation
Packetbeat — Analyzes network packets and common protocols like HTTP
- Get Started
Winlogbeat — Ships Windows event logs
- Get Started
- Humio’s Filebeat documentation
Heartbeat — Checks system status and availability
- Get Started

General Output Configuration

All Beats are built using the libbeat library and share output configuration. Humio supports parts of the ElasticSearch ingest API, so to send data from Beats to Humio, you use the ElasticSearch output (the documentation is identical for all Beats).

You can use the following elasticsearch output configuration template:

output:
  elasticsearch:
    hosts: ["$BASEURL/api/v1/ingest/elastic-bulk"]
    username: any-organization
    password: $INGEST_TOKEN

Where:

$BASEURL — is the base URL of your Humio server https://cloud.humio.com:443 or http://localhost:8080
$INGEST_TOKEN — is the ingest token for your repository (a string such as fS6Kdlb0clqe0UwPcc4slvNFP3Qn1COzG9DEVLw7v0Ii).

To optimize performance for the data volumes you want to send, and to keep shipping latency down, change the default settings for compression_level, worker, bulk_max_size and flush_interval. Don’t raise bulk_max_size much: 100 – 300 is the appropriate range. While doing so may increase throughput of ingest it has a negative impact on search performance of the resulting events in Humio.

Adding fields

All Beats also have a fields section in their configuration. You can add fields to all events by specifying them in the fields section:

fields:
    service: user-service
    datacenter: dc-a

Fields can be turned into tags by including a @tags field that lists the names of fields to turn into tags. This applies to fields both from the fields sections and from the events being shipped. Refer to datasources for information on tags.

Ingesting to multiple repos using a single ingest token

If the Humio configuration variable ALLOW_CHANGE_REPO_ON_EVENTS=true is set, then Humio allows ingest to any repository specified as #repo = <repository-name> in the tags of an event, as long as the ingest token is valid for any existing repository on the humio server. The #repo can also be set by the parser for the same effect as if the value was provided by the original shipper. If the named repo does not exist then the event remains in the repo designated by the ingest token.

This is a potential security issue on a public API endpoint, so this option should only be used inside a trusted environment. For the same reason this feature is not enabled on cloud.humio.com.