Introduction
- These instructions are specific to our environment
- Note: Journalbeat has been absorbed into Filebeat. See "Configuring CLS for Linux Endpoints" for systems that do NOT require journald
- Follow the APT or YUM installation below as appropriate to your OS
- Prerequisites: Terminal, vi, administrative access
- There are modules and processors available that are not covered here. Contact CLS if this might be useful for you.
Instructions
Linux Filebeat APT repo install
- Download and install the Public Signing Key:
- wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
- You may need to install the apt-transport-https package on Debian before proceeding:
- sudo apt-get install apt-transport-https
- Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list with this command:
- echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
- Update the repo and install Filebeat:
- sudo apt-get update && sudo apt-get install filebeat
- Make the directory for certificates:
- sudo mkdir /etc/filebeat/certs/
- Using a web browser, download this certificate:
- Copy the certificate into /etc/filebeat/certs/
- Use the configuration instructions below to configure, start and test Filebeat
Linux Filebeat YUM repo install
- Download and install the Public Signing Key:
- sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
- Create an elastic.repo file in your /etc/yum.repos.d/ directory. Add the following 8 lines, save and close the file:
[elastic-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md - Your repository is ready to use
- Install Filebeat by running:
- sudo yum install filebeat
- Make the directory for certificates:
- sudo mkdir /etc/filebeat/certs/
- Using a web browser, download this certificate:
- Copy the certificate into /etc/filebeat/certs/
- Use the configuration instructions below to configure, start and test Filebeat
Configure Filebeat
- Download this custom filebeat.yml file and copy it to /etc/filebeat/, replacing the existing one
- It is already configured to send var/log/messages to our servers. Ubuntu users may need to modify the log locations.
- Open the custom filebeat.yml file you copied to /etc/filebeat/ with vi or other plain text editor. You will need to sudo to edit.
- In the "General" section, edit the following. These values will be overridden by any values you specified in the Filebeat inputs section.
- index: "vt_logstash" - replace "vt_logstash" with the index name that was created in your consultation with CLS
- name: "service_name" - replace with the service name of your choice
- service_id: "edu.vt.org.service.name" - replace with an id of your choice that describes your service, such as service_id: "edu.vt.hokies.webserver" or "edu.vt.hokies.workstation"
- host: "my-host-name" - replace "my-host-name" with a name of your choice that identifies the sending device
- Save and close filebeat.yml
- Set ownership
- sudo chown root filebeat.yml
Test Filebeat
- Open Terminal
- Check the configuration file is syntactically correct with this command:
- sudo filebeat -c filebeat.yml test config
- Terminal should return "Config OK." Otherwise, correct errors and test again
- Test output with this command:
- sudo filebeat test output
- Terminal should return a series of "OK" responses. Otherwise, correct errors and test again
Start Filebeat
- Open a terminal and enable Filebeat to run at startup with this command:
- sudo systemctl enable filebeat
- Start Filebeat:
- sudo systemctl start filebeat
Next steps
- You should be sending logs now.
- See Splunk Search Best Practices for information on how to see and search your logs.
Contact
- If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
- You can also reach us on #central_monitoring and #central_log on VT Slack