Fluent Bit: Official Manual
Search…
1.8
Fluent Bit v1.8 Documentation
About
What is Fluent Bit ?
A Brief History of Fluent Bit
Fluentd & Fluent Bit
License
Concepts
Key Concepts
Buffering
Data Pipeline
Installation
Getting Started with Fluent Bit
Upgrade Notes
Supported Platforms
Requirements
Sources
Linux Packages
Docker
Containers on AWS
Amazon EC2
Kubernetes
Yocto / Embedded Linux
Windows
Administration
Configuring Fluent Bit
Security
Buffering & Storage
Backpressure
Scheduling and Retries
Networking
Memory Management
Monitoring
Dump Internals / Signal
HTTP Proxy
Local Testing
Validating your Data and Structure
Running a Logging Pipeline Locally
Data Pipeline
Pipeline Monitoring
Inputs
Parsers
Filters
Outputs
Stream Processing
Introduction to Stream Processing
Overview
Changelog
Getting Started
Fluent Bit for Developers
C Library API
Ingest Records Manually
Golang Output Plugins
Developer guide for beginners on contributing to Fluent Bit
Powered By GitBook
Security
Fluent Bit provides integrated support for Transport Layer Security (TLS) and it predecessor Secure Sockets Layer (SSL) respectively. In this section we will refer as TLS only for both implementations.
Each output plugin that requires to perform Network I/O can optionally enable TLS and configure the behavior. The following table describes the properties available:
Property
Description
Default
tls
enable or disable TLS support
Off
tls.verify
force certificate validation
On
tls.debug
Set TLS debug verbosity level. It accept the following values: 0 (No debug), 1 (Error), 2 (State change), 3 (Informational) and 4 Verbose
1
tls.ca_file
absolute path to CA certificate file
​
tls.ca_path
absolute path to scan for certificate files
​
tls.crt_file
absolute path to Certificate file
​
tls.key_file
absolute path to private Key file
​
tls.key_passwd
optional password for tls.key_file file
​
tls.vhost
hostname to be used for TLS SNI extension
​
The listed properties can be enabled in the configuration file, specifically on each output plugin section or directly through the command line.
The following output plugins can take advantage of the TLS feature:
In addition, other plugins implements a sub-set of TLS support, meaning, with restricted configuration:

Example: enable TLS on HTTP output

By default HTTP output plugin uses plain TCP, enabling TLS from the command line can be done with:
1
$ fluent-bit -i cpu -t cpu -o http://192.168.2.3:80/something \
2
-p tls=on \
3
-p tls.verify=off \
4
-m '*'
Copied!
In the command line above, the two properties tls and tls.verify where enabled for demonstration purposes (we strongly suggest always keep verification ON).
The same behavior can be accomplished using a configuration file:
1
[INPUT]
2
Name cpu
3
Tag cpu
4
​
5
[OUTPUT]
6
Name http
7
Match *
8
Host 192.168.2.3
9
Port 80
10
URI /something
11
tls On
12
tls.verify Off
Copied!

Tips and Tricks

Connect to virtual servers using TLS

Fluent Bit supports TLS server name indication. If you are serving multiple hostnames on a single IP address (a.k.a. virtual hosting), you can make use of tls.vhost to connect to a specific hostname.
1
[INPUT]
2
Name cpu
3
Tag cpu
4
​
5
[OUTPUT]
6
Name forward
7
Match *
8
Host 192.168.10.100
9
Port 24224
10
tls On
11
tls.verify On
12
tls.ca_file /etc/certs/fluent.crt
13
tls.vhost fluent.example.com
Copied!
Previous
Record Accessor
Next - Administration
Buffering & Storage
Last modified 9mo ago
Export as PDF
Copy link
Contents
Example: enable TLS on HTTP output
Tips and Tricks
Connect to virtual servers using TLS