Skip to main content

Output Configuration


The output section of filebeat.yml defines where collected events are sent. The 262COS configuration forwards all events to the DIP Logstash pipeline on port 5045/TCP.


Logstash Output​

output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.enabled: true
ssl.verification_mode: "none"

Replace <DIP_EXTERNAL_IP> with the DIP's external IP address for the mission network.

TFPlenum Configs

If the filebeat.yml came from a TFPlenum package built on a DIP configured IAW 262COS-DIP-SOP-001, the output is already configured to point to the correct DIP External IP. No changes to the output section should be needed.

If Using a Vanilla CVA/H DIP

On a DIP not built with 262COS-DIP-SOP-001, uncomment the certificate lines:

output.logstash:
hosts: ["<DIP_EXTERNAL_IP>:5045"]
ssl.certificate_authorities: ["${path.home}/ca.crt"]
ssl.certificate: "${path.home}/tls.crt"
ssl.key: "${path.home}/tls.key"
ssl.enabled: true
ssl.verification_mode: "none"

Why SSL Certificate Files Are Omitted​

The 262COS base config intentionally omits ssl.certificate_authorities, ssl.certificate, and ssl.key. If the DIP is rebuilt, new TLS certificates are generated β€” agents pinned to the old cert files will fail to reconnect. Using ssl.verification_mode: "none" maintains encrypted transport without cert pinning, surviving DIP rebuilds without requiring agent reconfiguration.


Logstash Load Balancing​

When multiple Logstash instances are available (e.g., a DIP with multiple pipelines), Filebeat can load balance across them:

output.logstash:
hosts:
- "<DIP_EXTERNAL_IP_1>:5045"
- "<DIP_EXTERNAL_IP_2>:5045"
loadbalance: true
ssl.enabled: true
ssl.verification_mode: "none"

Logging Configuration​

logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
logging.level: info

Use logging.level: debug temporarily when troubleshooting collection issues. Revert to info for normal operations.