Overview
The Elastic output will stream analytics and insights to your Elasticsearch environment.
Before you begin
We recommend that you review and complete the steps listed in the Configure Elastic Index for the Agent document.
- This process will help you prepare your Elasticsearch environment to become an Edge Delta streaming target.
Review Sample Configuration
The following sample configuration displays an output without the name of the organization-level integration:
- name: elastic-cloud
type: elastic
index: "index name"
cloud_id: "<ADD ELASTICSEARCH CLOUD_ID>"
token: "<ADD ELASTICSEARCH TOKEN>"
features: metric,cluster,context
- name: elastic-local
type: elastic
index: "index name"
user: elastic
password: '{{ Env "TEST_ELASTIC_PWD" }}'
address:
- elasticnode1
- name: elastic-send-as-is
type: elastic
index: "index name"
user: elastic
password: '{{ Env "TEST_ELASTIC_PWD" }}'
address:
- elasticnode1
features: edac
send_as_is: true
edac_enrichment:
edac_id_field: "edac_id"
metric_name_field: "name"
- name: elastic-opensearch-with-rolearn
type: elastic
index: "index name"
region: "us-west-2"
role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
external_id: "external_id"
address:
- opensearch_domain_endpoint
custom_tags:
"app": "test"
"region": "us-west-2"
"File Path": "{{.FileGlobPath}}"
"K8s PodName": "{{.K8sPodName}}"
"K8s Namespace": "{{.K8sNamespace}}"
"K8s ControllerKind": "{{.K8sControllerKind}}"
"K8s ContainerName": "{{.K8sContainerName}}"
"K8s ContainerImage": "{{.K8sContainerImage}}"
"K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
"ECSCluster": "{{.ECSCluster}}"
"ECSContainerName": "{{.ECSContainerName}}"
"ECSTaskVersion": "{{.ECSTaskVersion}}"
"ECSTaskFamily": "{{.ECSTaskFamily}}"
"DockerContainerName": "{{.DockerContainerName}}"
"ConfigID": "{{.ConfigID}}"
"Host": "{{.Host}}"
"Source": "{{.Source}}"
"SourceType": "{{.SourceType}}"
"Tag": "{{.Tag}}"
"logical_source": '{{ index .CustomTags "logicalSource" }}'
"url": '{{ index .ObservationTags "url" }}'
"cluster": '{{ index .ObservationTags "cluster" }}'
- name: elastic-opensearch
type: elastic
index: "index name"
region: "us-west-2"
address:
- opensearch_domain_endpoint
- name: elastic-apm
type: elastic
index: "index name"
user: elastic
password: '{{ Env "TEST_ELASTIC_PWD" }}'
address:
- elasticnode1
features: log
apm_server_url: http://localhost:8200
apm_token: test-token
Review Parameters
Review the following parameters that you can configure in the Edge Delta App.
name
Required
Enter a descriptive name for the output or integration.
For outputs, this name will be used to map this destination to a workflow.
Review the following example:
name: elastic-cloud
integration_name
Optional
This parameter refers to the organization-level integration created in the Integrations page.
If you need to add multiple instances of the same integration into the config, then you can add a custom name to each instance via the name parameter. In this situation, the name should be used to refer to the specific instance of the destination in the workflows.
Review the following example:
integration_name: orgs-elastic
type
Required
Enter elastic.
Review the following example:
type: elastic
index
Optional
Enter the name of the Elastic index (or index template) where Edge Delta should stream the data.
Review the following example:
index: "index name"
cloud_id
Optional
Enter the cloud ID of the Elasticsearch backend.
You must enter a Cloud ID or an Address.
Review the following example:
cloud_id: "<ADD ELASTICSEARCH CLOUD_ID>"
user
Optional
Enter the username of the Elasticsearch credentials.
Note
For authentication, you must provide either a token or a user/password.
You cannot enter both parameters.
Review the following example:
user: elastic
password
Optional
Enter the password for the connecting user.
Note
For authentication, you must provide either a token or a user/password.
You cannot enter both parameters.
Review the following example:
password: '{{ Env "TEST_ELASTIC_PWD" }}'
token
Optional
Enter the Elasticsearch API key.
Note
For authentication, you must provide either a token or a user/password.
You cannot enter both parameters.
Review the following example:
token: "<ADD ELASTICSEARCH TOKEN>"
address
Optional
Enter the address list of the Elasticsearch backend.
You must enter a Cloud ID or an Address.
To locate your Elasticsearch URL, review these forum topics from Elasticsearch:
Review the following example:
address: - opensearch_domain_endpoint
region
Optional
Enter the AWS region destination to send logs.
Review the following example:
region: "us-west-2"
role_arn
Optional
To assume an AWS IAM role, enter the account ID and role name:
- role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
Review the following example:
role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
external_id
Optional
Enter a unique identifier to avoid a confused deputy attack.
- To learn more about confused deputy attacks, review this document from AWS.
Review the following example:
external_id: "external_id"
send_as_json
Optional
Enter true or false to enable or disable this feature.
If you enter true, then Edge Delta will send logs without a defined JSON object wrapping. In other words, no metadata will be attached.
The configured index should handle the mapping of the fields in the JSON log.
Review the following example:
send_as_json: true
apm_server_url
Optional
This parameter only applies if you are using an elastic APM tracer.
- Specifically, this parameter will enable forwarding to the Elastic APM server.
Review the following example:
apm_server_url: http://localhost:8200
apm_token
Optional
This parameter only applies if you are using an elastic APM tracer.
- Specifically, this parameter will enable forwarding to the Elastic APM server and the APM server URL.
- If you do not specify a token, then anonymous authentication will be used.
Review the following example:
apm_token: test-token
edac_enrichment: edac_id_field
Optional
Enter a field name to display in the final JSON object. The EDAC's ID will display as a value.
Review the following example:
edac_enrichment: edac_id_field: "edac_id"
edac_enrichment: metric_name_field
Optional
Enter a field name to display in the final JSON object. The EDAC's metric name will display as a value.
Review the following example:
edac_enrichment:
metric_name_field: "name"
custom_tags
Optional
This parameter defines key-value pairs that are streamed with every request.
Review the following example:
custom_tags:
"app": "test"
"region": "us-west-2"
"File Path": "{{.FileGlobPath}}"
"K8s PodName": "{{.K8sPodName}}"
"K8s Namespace": "{{.K8sNamespace}}"
"K8s ControllerKind": "{{.K8sControllerKind}}"
"K8s ContainerName": "{{.K8sContainerName}}"
"K8s ContainerImage": "{{.K8sContainerImage}}"
"K8s ControllerLogicalName": "{{.K8sControllerLogicalName}}"
"ECSCluster": "{{.ECSCluster}}"
"ECSContainerName": "{{.ECSContainerName}}"
"ECSTaskVersion": "{{.ECSTaskVersion}}"
"ECSTaskFamily": "{{.ECSTaskFamily}}"
"DockerContainerName": "{{.DockerContainerName}}"
"ConfigID": "{{.ConfigID}}"
"Host": "{{.Host}}"
"Source": "{{.Source}}"
"SourceType": "{{.SourceType}}"
"Tag": "{{.Tag}}"
"logical_source": '{{ index .CustomTags "logicalSource" }}'
"url": '{{ index .ObservationTags "url" }}'
"cluster": '{{ index .ObservationTags "cluster" }}'
features
Optional
This parameter defines which data types to stream to the destination.
To learn more, review the Review Feature Types section in Stream Outputs and Integrations Overview.
Review the following example:
features: metric,cluster,context
buffer_ttl
Optional
Enter a length of time to retry failed streaming data.
After this length of time is reached, the failed streaming data will no longer be tried.
Review the following example:
buffer_ttl: 2h
buffer_path
Optional
Enter a folder path to temporarily store failed streaming data.
The failed streaming data will be retried until the data reaches its destinations or until the Buffer TTL value is reached.
If you enter a path that does not exist, then the agent will create directories, as needed.
Review the following example:
buffer_path: /var/log/edgedelta/pushbuffer/
buffer_max_bytesize
Optional
Enter the maximum size of failed streaming data that you want to retry.
If the failed streaming data is larger than this size, then the failed streaming data will not be retried.
Review the following example:
buffer_max_bytesize: 100MB
Related Documentation
To learn how to set up an elastic index that works with the Edge Delta agent, see Configure an Elastic Index for the Agent.
Quick links