• These instructions are specific to our environment
• Note: Journalbeat has been absorbed into Filebeat. See "Configuring CLS for Linux Servers" for systems requiring journald
• Follow the APT or YUM installation below as appropriate to your OS
• Prerequisites: Terminal, vi, administrative access

Linux Filebeat APT repo install

1. Download and install the Public Signing Key:
   
   • wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
2. You may need to install the apt-transport-https package on Debian before proceeding:
   
   • sudo apt-get install apt-transport-https
3. Save the repository definition to /etc/apt/sources.list.d/elastic-8.x.list with this command:
   
   • echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
4. Update the repo and install Filebeat:
   
   • sudo apt-get update && sudo apt-get install filebeat
5. Make the directory for certificates:
   
   • sudo mkdir /etc/filebeat/certs/
6. Using a web browser, download this certificate:
   
   • incommon_tls_chain.pem (from www.pki.vt.edu)
7. Copy the certificate into /etc/filebeat/certs/
8. Use the configuration instructions below to configure, start and test Filebeat

Linux Filebeat YUM repo install

1. Download and install the Public Signing Key:
   
   • sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
2. Create an elastic.repo file in your /etc/yum.repos.d/ directory. Add the following 8 lines, save and close the file:
   

   [elastic-8.x]
   name=Elastic repository for 8.x packages
   baseurl=https://artifacts.elastic.co/packages/8.x/yum
   gpgcheck=1
   gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
   enabled=1
   autorefresh=1
   type=rpm-md

3. Your repository is ready to use
4. Install Filebeat by running:
   
   • sudo yum install filebeat
5. Make the directory for certificates:
   
   • sudo mkdir /etc/filebeat/certs/
6. Using a web browser, download this certificate:
   
   • incommon_tls_chain.pem (from www.pki.vt.edu)
7. Copy the certificate into /etc/filebeat/certs/
8. Use the configuration instructions below to configure, start and test Filebeat

Configure Filebeat

1. Download this custom filebeat.yml file and copy it to /etc/filebeat/, replacing the existing one
2. It is already configured to send var/log/messages to our servers. Ubuntu users may need to modify the log locations.
3. Open the custom filebeat.yml file you copied to /etc/filebeat/ with vi or other plain text editor. You will need to sudo to edit. In the 'fields' section under id: os-filestream, edit the following:
   
   1. tier: "tier" - replace with tier: "prod", tier: "dev", tier: "pprd" or tier: "endpoint" as appropriate
   2. name: "service name" - replace "service name" with a name of your choice that describes what the device does, such as "Mac laptop" or "Apache web server"
   3. service_id: "edu.vt.org.service.name" - replace with an id of your choice that describes your service, such as service_id: "edu.vt.hokies.webserver" or "edu.vt.hokies.workstation"
   4. host: "host-name" - replace "host-name" with a name of your choice that identifies the sending device
   5. index: "vt_logstash" - replace "vt_logstash" with the index name that was created in your consultation with CLS
4. In the 'filestream 2' section
   
   1. index: "vt_logstash" - replace "vt_logstash" with the index name that was created in your consultation with CLS
5. If you have other files in other formats that need to be shipped, you will need separate filestream blocks with the appropriate types specified.  Contact CLS with any questions.
6. Save and close filebeat.yml
7. Set ownership
   
   1. sudo chown root filebeat.yml

Test Filebeat

1. Open Terminal 
2. Check the configuration file is syntactically correct with this command:
   
   • sudo filebeat -c filebeat.yml test config
3. Terminal should return "Config OK." Otherwise, correct errors and test again
4. Test output with this command:
   
   • sudo filebeat test output
5. Terminal should return a series of "OK" responses. Otherwise, correct errors and test again

Start Filebeat

1. Open a terminal and enable Filebeat to run at startup with this command:
   
   • sudo systemctl enable filebeat
2. Start Filebeat:
   
   • sudo systemctl start filebeat

Next steps

• You should be sending logs now.
• See Splunk Search Best Practices for information on how to see and search your logs.

Contact

• If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
• You can also reach us on #central_monitoring and #central_log on VT Slack