// the find
elastic/beats
:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
Beats is Elastic's suite of lightweight Go daemons that ship operational data (logs, metrics, network packets, Windows events, file changes) to Elasticsearch or Logstash. It's the standard answer when you need low-overhead data collection on a fleet of servers without running a full agent. libbeat provides the shared framework so you can build your own Beat if none of the official ones fit.
The Go implementation genuinely earns the 'lightweight' claim — these run in constrained environments where a JVM-based shipper would be unacceptable. The module system in Metricbeat and Filebeat is well-designed: drop in a YAML config for MySQL or Nginx and you get pre-built dashboards plus field mappings without writing any code. Packetbeat doing passive network protocol analysis (HTTP, DNS, Redis, MySQL, TLS) without touching application code is useful for visibility on systems you can't instrument directly. The file_integrity module's multi-backend approach (eBPF, kprobes, ETW on Windows, fsevents on macOS) means you get kernel-level change detection tuned to the platform rather than a lowest-common-denominator inotify wrapper.
This is essentially a delivery vehicle for Elastic Stack — if you're not running Elasticsearch, you're fighting the tool. Output plugins exist for Kafka, Redis, Logstash, etc., but the configuration model and field naming assume ECS and Kibana at the end of the pipe. The repo is enormous and the build system is Mage + a sprawling Makefile; getting a local build working for a single Beat requires understanding which parts of the monorepo you actually need. Elastic Agent is now the preferred deployment path and Beats are in a somewhat ambiguous maintenance mode — Elastic's own docs push you toward Agent, which layers fleet management on top, but Agent has meaningfully higher complexity and resource usage. Backpressure handling when Elasticsearch is unavailable uses an on-disk queue that has historically had corruption edge cases under hard crashes.