Setting Up a Filebeat Forwarder

Prerequisites:

• The machine requires Java 1.8 running prior to setting Filebeat.

Install Filebeat on Windows OS:

To download and install Filebeat, enter the designated machine as a local Administrator and follow these guidelines:

1. Download and Install Java JRE 1.8 HERE. If the machine already runs Java 1.8 you may skip this part. Otherwise download Java and upon completion restart the machine.
2. To verify that the installed Java is 1.8 go to Control Panel> Java> About & check the version number.
3. Download the Filebeat Windows zip file from this LINK
4. Extract the contents of the zip file into C:\Program Files.
5. Rename the filebeat-<version>-windows directory to Filebeat
6. Configure Filebeat. To configure Filebeat data forwarding to logstash, modify the file C:\Program Files\Filebeat\filebeat.yml:
   
   1. Make a copy of the original filebeat.yml as filebeat.yml.orig.
   2. Replace the original filebeat.yml with the following attachment: filebeat.yml
   3. Edit the config file filebeat.yml and locate the  Logstash output section
      1. The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"] 
         Set the IP/HOST of the logstash. For example: hosts: ["172.16.4.25:5044"]
      2. Configure the logs that will be forwarded and press save.
      Notes:
   • •  The example forwards 2 logs: messages & secure.
     •  More guidelines are described in the article: Configuring Filebeat to send data to Logstash
7. Install Filebeat as a service. Setting the service must be done only after completing the configuration. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). 
   1. Run the command: cd 'C:\Program Files\Filebeat'
   2. Run the command: .\install-service-filebeat.ps1

Notes:

• • Filebeat can run in parallel to Winlogbeat on the same Windows machine and its usage is for any log which is NOT Windows Events Logs.
    
  • If you are running Windows XP, you may need to download and install PowerShell. 
    
  • If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. 
    For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1.
  • Fliebeat service should be manageable from the services.msc.
  • Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path C:\Program Files\Filebeat).
  • To run Filebeat manually enter via PowerShell as Administrator to C:\Program Files\Filebeatbeat and run: .\filebeat.exe -c .\filebeat.yml
    

Install Filebeat on Linux OS:

To download and install Filebeat, enter the designated Linux machine as an Administrator and follow these guidelines:

1. Run the command: apt-get update  to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
2. Install Java JRE 1.8 on the Linux OS. If the machine already runs Java 1.8 you may skip this part. To install Java run the command: apt-get install default-jre
3. To verify that the installed Java is 1.8 run the command: java -version. If verified you may proceed to the next step 
4. Install Filebeat as a service:
   1. Run the command: curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-amd64.deb
   2. Run the command: dpkg -i filebeat-6.5.4-amd64.deb
      
5. Configure Filebeat. To configure Filebeat to forward data to logstash, modify the file /etc/filebeat/filebeat.yml: 
   
   1. Make a copy of the original filebeat.yml as filebeat.yml.orig.
   2. Replace the original filebeat.yml with the following attachment: filebeat.yml
   3. Edit the config file filebeat.yml and locate the  Logstash output section
      1. The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"] 
         Set the IP/HOST of the logstash. For example: hosts: ["172.16.4.25:5044"]
      2. Configure the logs that will be forwarded and press save.
      Notes:
   • •  The example forwards 2 logs: messages & secure.
     •  More guidelines are described in the article: Configuring Filebeat to send data to Logstash
6. Start Fliebeat service. To start the service use the command service filebeat start. The available options are: service filebeat {start|stop|status|restart|force-reload}
   
   Note: 
   • Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path /etc/init.d/filebeat).

Install Filebeat on MAC:

To download and install Filebeat, enter the designated Linux machine as an Administrator and follow these guidelines:

1. Run the command: apt-get update  to update the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.
2. Install Java JRE 1.8 on the Linux OS. If the machine already runs Java 1.8 you may skip this part. To install Java run the command: apt-get install default-jre
3. To verify that the installed Java is 1.8 run the command: java -version. If verified you may proceed to the next step 
4. Install Filebeat as a service:
   1. Run the command: curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.5.4-darwin-x86_64.tar.gz  
   2. Run the command: tar xzvf filebeat-6.5.4-darwin-x86_64.tar.gz
      
5. Configure Filebeat. To configure Filebeat to forward data to logstash, modify the file /etc/filebeat/filebeat.yml: 
   
   1. Make a copy of the original filebeat.yml as filebeat.yml.orig.
   2. Replace the original filebeat.yml with the following attachment: filebeat.yml
   3. Edit the config file filebeat.yml and locate the  Logstash output section
      1. The output configuration is set as follows: hosts: ["HOST_THAT_THE_LOGSTASH_IS_INSTALLED_UPON:5044"] 
         Set the IP/HOST of the logstash. For example: hosts: ["172.16.4.25:5044"]
      2. Configure the logs that will be forwarded and press save.
      Notes:
   • •  The example forwards 2 logs: messages & secure.
     •  More guidelines are described in the article: Configuring Filebeat to send data to Logstash
6. Start Fliebeat service. To start the service use the command service filebeat start. The available options are: service filebeat {start|stop|status|restart|force-reload}
   
   Note: 
   • Any change in the filebeat.yml configuration file requires restarting the Filebeat service (defined by default at the path /etc/init.d/filebeat).