MCPcopy Index your code
hub / github.com/elastic/beats

github.com/elastic/beats @v9.4.3

repository ↗ · DeepWiki ↗ · release v9.4.3 ↗ · Ask this repo → · + Follow
31,822 symbols 160,286 edges 4,934 files 11,638 documented · 37% 1 cross-repo links updated 1d agov8.19.18 · 2026-06-30★ 12,635797 open issues
README

Go Report Card Reviewed by Hound

Beats - The Lightweight Shippers of the Elastic Stack

The Beats are lightweight data shippers, written in Go, that you install on your servers to capture all sorts of operational data (think of logs, metrics, or network packet data). The Beats send the operational data to Elasticsearch, either directly or via Logstash, so it can be visualized with Kibana.

By "lightweight", we mean that Beats have a small installation footprint, use limited system resources, and have no runtime dependencies.

This repository contains libbeat, our Go framework for creating Beats, and all the officially supported Beats:

Beat Description
Auditbeat Collect your Linux audit framework data and monitor the integrity of your files.
Filebeat Tails and ships log files
Heartbeat Ping remote services for availability
Metricbeat Fetches sets of metrics from the operating system and services
Packetbeat Monitors the network and applications by sniffing packets
Winlogbeat Fetches and ships Windows Event logs
Osquerybeat Runs Osquery and manages interaction with it.

In addition to the above Beats, which are officially supported by Elastic, the community has created a set of other Beats that make use of libbeat but live outside of this Github repository. We maintain a list of community Beats here.

Documentation and Getting Started

You can find the documentation and getting started guides for each of the Beats on the elastic.co site:

Documentation and Getting Started information for the Elastic Agent

You can find the documentation and getting started guides for the Elastic Agent on the elastic.co site

Getting Help

If you need help or hit an issue, please start by opening a topic on our discuss forums. Please note that we reserve GitHub tickets for confirmed bugs and enhancement requests.

Downloads

You can download pre-compiled Beats binaries, as well as packages for the supported platforms, from this page.

Contributing

We'd love working with you! You can help make the Beats better in many ways: report issues, help us reproduce issues, fix bugs, add functionality, or even create your own Beat.

Please start by reading our CONTRIBUTING file.

AI Coding Agents

Repository instructions for AI coding agents are in AGENTS.md. To use it, copy it to the agent-specific filename: CLAUDE.md, GEMINI.md, and similar files, which are ignored by Git.

Building Beats from the Source

See our CONTRIBUTING file for information about setting up your dev environment to build Beats from the source.

Snapshots

For testing purposes, we generate snapshot builds that you can find here. Please be aware that these are built on top of main and are not meant for production.

CI

PR Comments

It is possible to trigger some jobs by putting a comment on a GitHub PR. (This service is only available for users affiliated with Elastic and not for open-source contributors.)

PR Labels

It's possible to configure the build on a GitHub PR by labeling the PR with certain labels. Elastic users can find more details at https://docs.elastic.dev/ingest-dev-docs/beats/beats-ci.

Extension points exported contracts — how you extend this code

MetricOption (Interface)
MetricOption adds settings to Metric objects behavior [21 implementers]
metricbeat/helper/prometheus/metric.go
Closer (Interface)
Closer is an optional interface that a MetricSet can implement in order to cleanup any resources it has open at shutdown [271 …
metricbeat/mb/mb.go
PluginCloser (Interface)
PluginCloser is an optional interface that protocol plugins can implement to release resources (e.g. stop cache janitor [271 …
packetbeat/protos/protos.go
Outlet (Interface)
Outlet interface is used for forwarding events [11 implementers]
filebeat/harvester/forwarder.go
Network (Interface)
Network interface implemented by TCP and UDP input source. [69 implementers]
filebeat/inputsource/network.go
Connector (Interface)
Connector creates an Outlet connecting the event publishing with some internal pipeline. type Connector func(*conf.C, *m [22 …
filebeat/channel/interface.go
InputManager (Interface)
InputManager creates and maintains actions and background processes for an input type. The InputManager is used to creat [19 …
filebeat/input/v2/input.go
ValuesMap (Interface)
ValuesMap provides a common interface to read matchers for condition checking [19 implementers]
libbeat/conditions/conditions.go

Core symbols most depended-on inside this repo

Equal
called by 6796
x-pack/filebeat/input/entityanalytics/provider/jamf/internal/jamf/jamf.go
Errorf
called by 4369
libbeat/publisher/pipeline/logger.go
Errorf
called by 3099
x-pack/auditbeat/module/system/socket/helper/types.go
Fatalf
called by 1802
x-pack/osquerybeat/ext/osquery-extension/pkg/logger/glog.go
Join
called by 1753
metricbeat/internal/sysinit/module.go
Error
called by 1711
metricbeat/mb/mb.go
Fatal
called by 1581
libbeat/esleg/eslegtest/util.go
New
called by 1574
packetbeat/protos/cassandra/internal/gocql/marshal.go

Shape

Function 15,254
Method 10,971
Struct 4,274
TypeAlias 468
Interface 414
FuncType 236
Class 195
Route 10

Languages

Go96%
Python4%
TypeScript1%
Java1%

Modules by API surface

x-pack/libbeat/common/cloudfoundry/events.go132 symbols
x-pack/auditbeat/module/system/socket/events.go93 symbols
auditbeat/module/file_integrity/schema/Hash.go87 symbols
x-pack/filebeat/input/awss3/mock_interfaces_test.go72 symbols
x-pack/auditbeat/tests/system/test_system_socket.py72 symbols
filebeat/input/filestream/prospector_test.go71 symbols
x-pack/auditbeat/module/system/socket/state.go70 symbols
x-pack/osquerybeat/ext/osquery-extension/cmd/gentables/main.go68 symbols
libbeat/tests/integration/framework.go65 symbols
metricbeat/mb/mb.go63 symbols
packetbeat/protos/http/http_test.go62 symbols
x-pack/dockerlogbeat/logdriver/entry.pb.go61 symbols

Used by 1 indexed graphs manifest dependencies, hub-wide

Dependencies from manifests, versioned

al.essio.dev/pkg/shellescapev1.5.1 · 1×
aqwari.net/xmlv0.0.0-2021033102330 · 1×
cel.dev/exprv0.25.1 · 1×
cloud.google.com/gov0.123.0 · 1×
cloud.google.com/go/auth/oauth2adaptv0.2.8 · 1×
cloud.google.com/go/bigqueryv1.75.0 · 1×
cloud.google.com/go/computev1.57.0 · 1×
cloud.google.com/go/compute/metadatav0.9.0 · 1×
cloud.google.com/go/longrunningv0.9.0 · 1×
cloud.google.com/go/monitoringv1.24.3 · 1×

Datastores touched

(mongodb)Database · 1 repos
mydbDatabase · 1 repos
adminDatabase · 1 repos
(mysql)Database · 1 repos
mydbDatabase · 1 repos
dbnameDatabase · 1 repos
stuffDatabase · 1 repos
localDatabase · 1 repos

For agents

$ claude mcp add beats \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact