Prerequisites:
- The machine requires Java 1.8 running prior to setting Filebeat.
Install Filebeat on Linux OS:
To download and install Filebeat, enter the designated Linux machine as an Administrator and follow these guidelines:
- Run the command: apt-get update to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
- Install Java JRE 1.8 on the Linux OS. If the machine already runs Java 1.8 you may skip this part. To install Java run the command: apt-get install default-jre
- To verify that the installed Java is 1.8 run the command: java -version. If verified you may proceed to the next step
- Install Filebeat as a service:
- Run the command: curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.1-amd64.deb
- Run the command: dpkg -i filebeat-6.5.1-amd64.deb
- Configure Filebeat. To configure Filebeat to forward data to logstash, modify the file /etc/filebeat/filebeat.yml according to the guidelines described in the article: Configuring Filebeat to send data to Logstash
- Start Fliebeat service. To start the service use the command service filebeat start. The available options are: service filebeat {start|stop|status|restart|force-reload}
Note:- Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path /etc/init.d/filebeat).
Install Filebeat on Windows OS:
To download and install Filebeat, enter the designated machine as a local Administrator and follow these guidelines:
- Download and Install Java JRE 1.8 HERE. If the machine already runs Java 1.8 you may skip this part. Otherwise download Java and upon completion restart the machine.
- To verify that the installed Java is 1.8 go to Control Panel> Java> About & check the version number.
- Download the Filebeat Windows zip file from this LINK
- Extract the contents of the zip file into C:\Program Files.
- Rename the filebeat-<version>-windows directory to Filebeat
- Configure Filebeat. To configure Filebeat data forwarding to logstash, modify the file C:\Program Files\Filebeat\filebeat.yml according to the guidelines described in the article: Configuring Filebeat to send data to Logstash
- You may download the filebeat.yml example and modify it to match your needs.
Note that the example forwards 2 logs: messages & secure to localhost using port 5044. You may the logs and set output.logstash with the logstash host/IP.
- You may download the filebeat.yml example and modify it to match your needs.
- Install Filebeat as a service. Setting the service must be done only after completing the configuration. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- Run the command: cd 'C:\Program Files\Filebeat'
- Run the command: C:\Program Files\Filebeat> .\install-service-filebeat.ps1
Notes:
- If you are running Windows XP, you may need to download and install PowerShell.
- If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run.
For example:PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1. - Fliebeat service should be manageable from the services.msc.
- Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path C:\Program Files\Filebeat).
- If you are running Windows XP, you may need to download and install PowerShell.