NOTE: The integration with Filebeat requires Manticore Buddy. If it doesn't work, make sure Buddy is installed.

Filebeat is a lightweight shipper for forwarding and centralizing log data. Once installed as an agent, it monitors the log files or locations you specify, collects log events, and forwards them for indexing, usually to Elasticsearch or Logstash.

Now, Manticore also supports the use of Filebeat as processing pipelines. This allows the collected and transformed data to be sent to Manticore just like to Elasticsearch. Currently, versions 7.17-9.2 are supported.

Configuration varies depending on which version of Filebeat you're using.

Important: Filebeat versions 7.17.0, 8.0.0, and 8.1.0 have a known issue with glibc 2.35+ (used in Ubuntu 22.04 and newer distributions). These versions may crash with "Fatal glibc error: rseq registration failed". To fix this, add the seccomp configuration as shown below.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/dpkg.log
  close_eof: true
  scan_frequency: 1s
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true  # Required for 8.1
# Fix for glibc 2.35+ compatibility (Ubuntu 22.04+)
seccomp:
  default_action: allow
  syscalls:
    - action: allow
      names:
        - rseq
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

References: Issue #30576, PR #30620

For versions 8.1 through 8.10, you need to add the allow_older_versions option:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/dpkg.log
  close_eof: true
  scan_frequency: 1s
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

From version 8.11, output compression is enabled by default, so you must explicitly set compression_level: 0 for compatibility with Manticore:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/dpkg.log
  close_eof: true
  scan_frequency: 1s
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

Filebeat 9.0 introduces a major architecture change, replacing the log input type with filestream. Starting from version 9.0, the default file identification method also changed to fingerprint, which requires files to be at least 1024 bytes (see issue #44780). For Manticore compatibility with files of any size, you must disable fingerprinting.

Here's the required configuration for Filebeat 9.0 and all later versions:

filebeat.inputs:
- type: filestream
  id: dpkg-log-input
  enabled: true
  paths:
    - /var/log/dpkg.log
  prospector.scanner.check_interval: 1s
  prospector.scanner.fingerprint.enabled: false
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

Important notes for Filebeat 9.0+:

• The type: filestream input replaces the older type: log
• The prospector.scanner.fingerprint.enabled: false setting is required to disable fingerprint-based file identification, ensuring reliable processing of files smaller than 1024 bytes
• The id field is required for filestream inputs and must be unique

Once you run Filebeat with this configuration, log data will be sent to Manticore and properly indexed. Here is the resulting schema of the table created by Manticore and an example of the inserted document:

mysql> DESCRIBE dpkg_log;
+------------------+--------+--------------------+
| Field            | Type   | Properties         |
+------------------+--------+--------------------+
| id               | bigint |                    |
| @timestamp       | text   | indexed stored     |
| message          | text   | indexed stored     |
| log              | json   |                    |
| input            | json   |                    |
| ecs              | json   |                    |
| host             | json   |                    |
| agent            | json   |                    |
+------------------+--------+--------------------+

mysql> SELECT * FROM dpkg_log LIMIT 1\G
*************************** 1. row ***************************
id: 7280000849080753116
@timestamp: 2023-06-16T09:27:38.792Z
message: 2023-04-12 02:06:08 status half-installed libhogweed5:amd64 3.5.1+really3.5.1-2
input: {"type":"filestream"}
ecs: {"version":"1.6.0"}
host: {"name":"logstash-db848f65f-lnlf9"}
agent: {"ephemeral_id":"587c2ebc-e7e2-4e27-b772-19c611115996","id":"2e3d985b-3610-4b8b-aa3b-2e45804edd2c","name":"logstash-db848f65f-lnlf9","type":"filebeat","version":"7.10.0","hostname":"logstash-db848f65f-lnlf9"}
log: {"offset":80,"file":{"path":"/var/log/dpkg.log"}}

NOTE: The integration with Fluent Bit requires Manticore Buddy. If it doesn't work, make sure Buddy is installed.

Fluent Bit is an open source, cross-platform log processor that can aggregate data from many sources and ship it to multiple destinations. You can feed Fluent Bit outputs directly into Manticore to make the collected data searchable in real time.

The following walkthrough indexes Debian's dpkg.log with Fluent Bit and Manticore.

2023-05-31 10:42:55 status triggers-awaited ca-certificates-java:all 20190405ubuntu1.1
2023-05-31 10:42:55 trigproc libc-bin:amd64 2.31-0ubuntu9.9 <none>
2023-05-31 10:42:55 status half-configured libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 status installed libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 trigproc systemd:amd64 245.4-4ubuntu3.21 <none>

Create a configuration file such as fluent-bit.conf:

[SERVICE]
    flush        1
    daemon       On
    log_level    info
[INPUT]
    name tail
    path /var/log/dpkg.log
    inotify_watcher false
    read_from_head true
[OUTPUT]
    name es
    match *
    host 127.0.0.1
    port 9308
    index dpkg_log

• The [SERVICE] block starts Fluent Bit in daemon mode, which is convenient for Docker-based setups. Disable the daemon flag if you want to run it in the foreground.
• inotify_watcher is turned off to avoid file notification limitations inside containers.
• The output plugin (name es) can talk to Manticore's HTTP endpoint on port 9308.
• index defines the automatic table name Manticore creates when the first batch arrives.

Run Fluent Bit with this configuration and it will tail dpkg.log, then forward each line to Manticore.

Store the configuration as fluent-bit.conf, then launch Fluent Bit:

fluent-bit -c fluent-bit.conf

To run it in Docker, mount the log file (read-only) and the configuration:

docker run --rm -v /var/log/dpkg.log:/var/log/dpkg.log:ro \
  -v $(pwd)/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro \
  fluent/fluent-bit:latest -c /fluent-bit/etc/fluent-bit.conf

After ingestion begins, Manticore automatically creates the dpkg_log table. Here is the table definition and sample data:

mysql> DESCRIBE dpkg_log;
+-------------+--------+----------------+
| Field       | Type   | Properties     |
+-------------+--------+----------------+
| id          | bigint |                |
| @timestamp  | text   | indexed stored |
| log         | text   | indexed stored |
+-------------+--------+----------------+
mysql> SELECT * FROM dpkg_log LIMIT 3\G
*************************** 1. row ***************************
id: 7856533729353662465
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 startup archives install
*************************** 2. row ***************************
id: 7856533729353662466
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 install base-passwd:amd64 <none> 3.5.47
*************************** 3. row ***************************
id: 7856533729353662467
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 status half-installed base-passwd:amd64 3.5.47

With this lightweight pipeline, Fluent Bit handles log collection and delivery while Manticore indexes the events for fast search and analytics. The approach works equally well for other log sources—just add more inputs and reuse the same Elasticsearch-compatible output pointed at your Manticore cluster.

NOTE: The integration with Fluent Bit requires Manticore Buddy. If it doesn't work, make sure Buddy is installed.

Vector by Datadog is an open source observability data pipeline that can collect, transform, and route logs or metrics. While Vector can aggregate the data by itself, pairing it with Manticore provides a purpose-built storage and search layer.

The example below shows how to forward Debian's dpkg.log through Vector.dev and index it in Manticore.

2023-05-31 10:42:55 status triggers-awaited ca-certificates-java:all 20190405ubuntu1.1
2023-05-31 10:42:55 trigproc libc-bin:amd64 2.31-0ubuntu9.9 <none>
2023-05-31 10:42:55 status half-configured libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 status installed libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 trigproc systemd:amd64 245.4-4ubuntu3.21 <none>

Create a vector.toml similar to the following:

[sources.test_file]
type = "file"
include = [ "/var/log/dpkg.log" ]
[transforms.modify_test_file]
type = "remap"
inputs = [ "test_file" ]
source = """
.vec_timestamp = del(.timestamp)"""
[sinks.manticore]
type = "elasticsearch"
inputs = [ "modify_test_file" ]
endpoints = ["http://127.0.0.1:9308"]
bulk.index = "dpkg_log"

• endpoints points to Manticore's HTTP interface (port 9308 by default). Adjust it if your instance listens elsewhere.
• The remap transform moves Vector's default timestamp field to vec_timestamp, because timestamp is reserved in Manticore.
• bulk.index defines the table that will be created automatically when Vector starts sending data.

Start Vector.dev with this configuration and it will tail the log file, transform each event, and forward it directly to Manticore.

Save the configuration as vector.toml, then start the agent:

vector --config vector.toml

If you run Vector.dev in Docker, mount both the config file and the log directory, for example:

docker run --rm -v /var/log/dpkg.log:/var/log/dpkg.log:ro \
  -v $(pwd)/vector.toml:/etc/vector/vector.toml:ro \
  timberio/vector:latest --config /etc/vector/vector.toml

When the pipeline runs, Manticore creates the dpkg_log table automatically. Its schema and example documents look like this:

mysql> DESCRIBE dpkg_log;
+-----------------+---------+--------------------+
| Field           | Type    | Properties         |
+-----------------+---------+--------------------+
| id              | bigint  |                    |
| file            | text    | indexed stored     |
| host            | text    | indexed stored     |
| message         | text    | indexed stored     |
| source_type     | text    | indexed stored     |
| vec_timestamp   | text    | indexed stored     |
+-----------------+---------+--------------------+
mysql> SELECT * FROM dpkg_log LIMIT 3\G
*************************** 1. row ***************************
id: 7856533729353672195
file: /var/log/dpkg.log
host: logstash-787f68f6f-nhdd2
message: 2023-06-05 14:03:04 startup archives install
source_type: file
vec_timestamp: 2023-08-04T15:32:50.203091741Z
*************************** 2. row ***************************
id: 7856533729353672196
file: /var/log/dpkg.log
host: logstash-787f68f6f-nhdd2
message: 2023-06-05 14:03:04 install base-passwd:amd64 <none> 3.5.47
source_type: file
vec_timestamp: 2023-08-04T15:32:50.203808861Z
*************************** 3. row ***************************
id: 7856533729353672197
file: /var/log/dpkg.log
host: logstash-787f68f6f-nhdd2
message: 2023-06-05 14:03:04 status half-installed base-passwd:amd64 3.5.47
source_type: file
vec_timestamp: 2023-08-04T15:32:50.203814031Z

Using Vector.dev with Manticore lets you collect logs from virtually any source, enrich or sanitize them in-flight, and store the results in a search-ready database. This workflow keeps observability pipelines simple while still enabling advanced transformations when needed.

Kibana is a visual interface that allows you to explore, visualize, and create dashboards for your log data. Integrating Kibana with Manticore Search can speed up the loading of Kibana visualizations by up to 3 times compared to Elasticsearch, as demonstrated in this demo. This integration enables users to seamlessly analyze their data using interactive dashboards, custom visualizations, and real-time search capabilities. It also simplifies handling diverse data sources by supporting tools like Logstash and Filebeat for streamlined data ingestion, making it a great choice for log analysis workflows.

1. Download Kibana: Ensure you download a Kibana version compatible with Manticore. Currently, version 7.6.0 is tested and recommended. Other 7.x versions may work but could introduce issues. Version 8.x is not supported.
2. Verify Manticore: Ensure your Manticore instance is running and its HTTP API is reachable (default: http://localhost:9308).

1. Open the Kibana configuration file (kibana.yml).
2. Set the URL of your Manticore instance:

   elasticsearch.hosts: ["http://localhost:9308"]

3. Start Kibana and open it in your browser at http://localhost:5601. Replace localhost with your server's IP or hostname if necessary.

Note: Manticore does not require authentication setup when working with Kibana. Also note that Manticore must work in real-time mode to be integrated with Kibana.

    listen = 127.0.0.1:9308:http
    pid_file = /var/run/manticore/searchd.pid
    data_dir = /var/lib/manticore
 }

## Supported Features
### Discover
- Use the **Discover** tab in Kibana to search and filter your data interactively.
- Refine your searches using the query bar with simple queries in the %Kibana query language [https://www.elastic.co/guide/en/kibana/current/kuery-query.html] %.

### Visualizations
- Navigate to **Visualizations** to create custom visualizations:
  - Create a table pattern (it’s called an 'index pattern' in Kibana) if one doesn’t already exist to define your data source.
  - Choose a visualization type (e.g., bar chart, line chart, or pie chart).
  - Configure your visualization, execute it, and explore your data.
  - Save your visualizations for future use.

### Dashboards
- Access **Dashboards** to create or view interactive dashboards:
  - Add visualizations, filters, or controls for a personalized experience.
  - Interact with your data directly from the dashboard.
  - Save dashboards for future use.

### Management
- Go to **Management > Kibana** to customize settings like default time zones and visualization preferences.

## Limitations
- Currently, Kibana version 7.6.0 is tested and recommended. Other 7.x versions may work but could cause issues. Versions 8.x are not supported.
- The following Elasticsearch-specific field types are not supported:
  - %Spatial data types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#spatial_datatypes] %
  - %Structured data types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#structured-data-types] %
  - %Document ranking types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#document-ranking-types] %
  - %Text search types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#text-search-types] % (except for plain 'text')
  - %Relational data types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#object-types] %
- Metric aggregation functions are limited to %those supported by Manticore [../Searching/Grouping.md#Aggregation-functions] %.
- The following Kibana tools are not supported:
  - %Canvas [https://www.elastic.co/guide/en/kibana/7.6/canvas.html] % – A visualization and presentation tool for combining data with colors and images.
  - %Elastic Maps [https://www.elastic.co/guide/en/kibana/7.6/maps.html] % – A tool for analyzing geographical data.
  - %Metrics [https://www.elastic.co/guide/en/kibana/7.6/xpack-infra.html] % – An app for monitoring infrastructure metrics.
  - %Logs [https://www.elastic.co/guide/en/kibana/7.6/xpack-logs.html] % – A console-like display for exploring logs from common services.
  - Monitoring:
    - %Uptime [https://www.elastic.co/guide/en/kibana/7.6/xpack-uptime.html] % – Monitors the status of network endpoints via HTTP/S, TCP, and ICMP.
    - %APM (Application Performance Monitoring) [https://www.elastic.co/guide/en/kibana/7.6/xpack-apm.html] % – Collects in-depth performance metrics from applications.
    - %SIEM (Security Information and Event Management) [https://www.elastic.co/guide/en/kibana/7.6/xpack-siem.html] % – An interactive workspace for security teams to triage events and conduct initial investigations.
    - %ILM (Index lifecycle management) [https://www.elastic.co/guide/en/elasticsearch/reference/7.6/index-lifecycle-management.html] % - Automatically manage indices according to performance, resiliency, and retention requirements.
    - %Stack Monitoring [https://www.elastic.co/guide/en/kibana/7.6/xpack-monitoring.html] % – Provides visualizations of monitoring data across the Elastic Stack.
  - %Elasticsearch Management [https://www.elastic.co/guide/en/kibana/7.6/management.html] % – A UI for managing Elastic Stack objects, including ILM (Index Lifecycle Management), etc.

## Data Ingestion and Exploration
Integrate Manticore with tools like %Logstash [../Integration/Logstash.md] %, %Filebeat [../Integration/Filebeat.md] %, %Fluentbit [https://manticoresearch.com/blog/integration-of-manticore-with-fluentbit/] %, or %Vector.dev [https://manticoresearch.com/blog/integration-of-manticore-with-vectordev/] % to ingest data from sources like web logs. Once the data is loaded into Manticore, you can explore and visualize it in Kibana.