The OSS Elastic Beats are a great group of data shippers. They are cross-platform, lightweight, and can ship data to a number of tools including Humio as long as you stick to the OSS builds.
Starting from version 6.7.0 of the libbeat only the OSS versions can ship to Humio. The non-OSS beats check that the server is a licensed elastic server due to this change to the beats client library: “Check license x-pack”
There are currently five official Beats. The Elastic documentation site and Humio’s documentation offer resources that describe how to use each of them.
Filebeat - Ships regular log files.
Metricbeat - Ships metrics from your OS and common services.
Packetbeat - Analyzes network packets and common protocols like HTTP
Winlogbeat - Ships Windows event logs
Heartbeat - Checks system status and availability
In addition, the Elastic community has created many other Beats that you can download and use.
These Community Beats cover many less common use cases.
All beats are built using the libbeat library and share output configuration. Humio supports parts of the ElasticSearch ingest API, so to send data from Beats to Humio, you just use the ElasticSearch output (the documentation is identical for all Beats).
You can use the following
elasticsearch output configuration template:
output: elasticsearch: hosts: ["$BASEURL/api/v1/ingest/elastic-bulk"] username: $INGEST_TOKEN
$BASEURL- is the base URL of your Humio server (e.g.
$INGEST_TOKEN- is the ingest token for your repository, (e.g. a string such as
To optimize performance for the data volumes you want to send, and to keep shipping latency down, change the default settings for
All Beats also have a
fields section in their configuration. You can add fields to all events by specifying them in the
fields: service: user-service datacenter: dc-a
If the Humio configuration variable
is set, then Humio allows ingest to any repository specified as
= <repository-name> in the tags of an event, as long as the ingest
token is valid for any existing repository on the humio server. The
#repo can also be set by the parser for the same effect as if the
value was provided by the original shipper. If the named repo does not
exist then the event remains in the repo designated by the ingest
This is a potential security issue on a public API endpoint, so this option should only be used inside a trusted environment. For the same reason this feature is not enabled on cloud.humio.com.