Prerequisites:
- The machine requires Java 1.8 running prior to setting Filebeat.
Install Filebeat on Windows OS:
To download and install Filebeat, enter the designated machine as a local Administrator and follow these guidelines:
- Download and Install Java JRE 1.8 HERE. If the machine already runs Java 1.8 you may skip this part. Otherwise download Java and upon completion restart the machine.
- To verify that the installed Java is 1.8 go to Control Panel> Java> About & check the version number.
- Download the Filebeat Windows zip file from this LINK
- Extract the contents of the zip file into C:\Program Files.
- Rename the filebeat-<version>-windows directory to Filebeat
- Configure Filebeat. To configure Filebeat data forwarding to logstash, modify the file C:\Program Files\Filebeat\filebeat.yml:
- Make a copy of the original filebeat.yml as filebeat.yml.orig.
- Replace the original filebeat.yml with the following attachment: filebeat.yml
- Edit the config file filebeat.yml and locate the Logstash output section
- The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"]
Set the IP/HOST of the logstash. For example: hosts: ["172.16.4.25:5044"] - Configure the logs that will be forwarded and press save.
- The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"]
- The example forwards 2 logs: messages & secure.
- More guidelines are described in the article: Configuring Filebeat to send data to Logstash
- Install Filebeat as a service. Setting the service must be done only after completing the configuration. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- Run the command: cd 'C:\Program Files\Filebeat'
- Run the command: .\install-service-filebeat.ps1
Notes:
- Filebeat can run in parallel to Winlogbeat on the same Windows machine and its usage is for any log which is NOT Windows Events Logs.
- If you are running Windows XP, you may need to download and install PowerShell.
- If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run.
For example:PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
. - Fliebeat service should be manageable from the services.msc.
- Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path C:\Program Files\Filebeat).
- To run Filebeat manually enter via PowerShell as Administrator to C:\Program Files\Filebeatbeat and run: .\filebeat.exe -c .\filebeat.yml
- Filebeat can run in parallel to Winlogbeat on the same Windows machine and its usage is for any log which is NOT Windows Events Logs.
Install Filebeat on Linux OS:
To download and install Filebeat, enter the designated Linux machine as an an Administrator and and follow these guidelines:
- Run the command: apt-get update to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
- Install Java JRE 1.8 on the Linux OS. If the machine already runs Java 1.8 you may skip this part. To install Java run the command: apt-get install default-jre
- To verify that the installed Java is 1.8 run the command: java java -version. If verified you may proceed to the next step
- Install Filebeat as a service:
- Run the command: curl -L -O O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.14-amd64.deb
- Run the command: dpkg -i filebeat-6.5.14-amd64.deb
- Configure Filebeat. To configure Filebeat to forward data to logstash, modify modify the file /etc/filebeat/filebeat.yml according to the guidelines filebeat.yml:
- Make a copy of the original filebeat.yml as filebeat.yml.orig.
- Replace the original filebeat.yml with the following attachment: filebeat.yml
- Edit the config file filebeat.yml and locate the Logstash output section
- The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"]
Set the IP/HOST of the logstash. For example: hosts: ["172.16.4.25:5044"] - Configure the logs that will be forwarded and press save.
- The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"]
- The example forwards 2 logs: messages & secure.
- More guidelines are described in the article: Configuring Filebeat to send data to Logstash
- Start Fliebeat service. To start the service use the command service filebeat start. The available options are: service filebeat {start|stop|status|restart|force-reload}
Note:- Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path /etc/init.d/filebeat).
...
Install Filebeat on
...
MAC:
To download and install Filebeat, enter the designated Linux machine as a local an Administrator and follow these guidelines:
- Run the command:
...
- Download and apt-get update to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
- Install Java JRE 1.8 HEREon the Linux OS. If the machine already runs Java 1.8 you may skip this part. Otherwise download Java and upon completion restart the machine.To install Java run the command: apt-get install default-jre
- To verify that the installed Java is 1.8 go to Control Panel> Java> About & check the version number.
- Download the Filebeat Windows zip file from this LINK
- Extract the contents of the zip file into C:\Program Files.
- Rename the filebeat-<version>-windows directory to Filebeatrun the command: java -version. If verified you may proceed to the next step
- Install Filebeat as a service:
- Run the command: curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-darwin-x86_64.tar.gz
- Run the command: tar xzvf filebeat-6.5.4-darwin-x86_64.tar.gz
- Configure Filebeat. To configure Filebeat Filebeat to forward data forwarding to logstash, modify the file C:\Program Files\Filebeat\/etc/filebeat/filebeat.yml according to the guidelines described in the article: Configuring Filebeat to send data to Logstash
- You may download the filebeat.yml example and modify it to match your needs.
Note that the example forwards 2 logs: messages & secure to localhost using port 5044. You may the logs and set output.logstash with the logstash host/IP.
- You may download the filebeat.yml example and modify it to match your needs.
- Install Filebeat as a service. Setting the service must be done only after completing the configuration. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- Run the command: cd 'C:\Program Files\Filebeat'
- Run the command: .\install-service-filebeat.ps1
Notes:
...
- Make a copy of the original filebeat.yml as filebeat.yml.orig.
- Replace the original filebeat.yml with the following attachment: filebeat.yml
- Edit the config file filebeat.yml and locate the Logstash output section
- The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"]
Set the IP/HOST of the logstash. For example: hosts: ["172.16.4.25:5044"] - Configure the logs that will be forwarded and press save.
- The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"]
- The example forwards 2 logs: messages & secure.
- More guidelines are described in the article: Configuring Filebeat to send data to Logstash
- Start Fliebeat service. To start the service use the command service filebeat start. The available options are: service filebeat {start|stop|status|restart|force-reload}
Note:- Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the
...
- path /etc/init.d/filebeat).