• These instructions are specific to our environment
• Messages, system, install and Filebeat logs will be sent
• If you have other services to log, contact CLS for details and a custom template
• Prerequisites: Terminal, vi or plain text editor, administrative account with root access

Installing Beats

1. Open Terminal and switch to root
   sudo su -
2. Download filebeat with these commands:
   
   curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.7.0-darwin-x86_64.tar.gz tar xzvf filebeat-8.7.0-darwin-x86_64.tar.gz
   
   Note: ARM (M1, M2) Mac will need to use a different installer:
   curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.7.0-darwin-aarch64.tar.gz tar xzvf filebeat-8.7.0-darwin-aarch64.tar.gz
3. Rename the new directory and move it to /Applications/Utilities with this command:
   sudo mv filebeat-8.7.0-darwin-x86_64 /Applications/Utilities/filebeat/
   ARM installations: sudo mv filebeat-8.7.0-darwin-aarch64.tar.gz /Applications/Utilities/filebeat/
4. Delete the compressed filebeat:
   sudo rm filebeat-8.7.0-darwin-x86_64.tar.gz
   ARM installations: sudo rm filebeat-8.7.0-darwin-aarch64.tar.gz
5. Using a web browser, download this certificate and copy to the /Applications/Utilities/filebeat folder:
   
   1. incommon_tls_chain.pem (from www.pki.vt.edu)

Configuring Beats

1. Download and copy this config file (filebeat.yml) into Applications/Utilities/filebeat, replacing the existing file
2. Open the filebeat.yml file you downloaded from /Applications/Utilities/filebeat/ with a plain text editor or vi
3. There are two changes you need to make to filebeat.yml
   
   1. This line appears twice and must be edited in both locations: index: "vt_logstash"
   2. Replace "vt_logstash" with the index name that was created in your consultation with CLS
   3. Do not change the indenting in the yml file
4. Save and close filebeat.yml
5. Set root as the owner for this file:
   
   1. sudo chown root /Applications/Utilities/filebeat/filebeat.yml

Testing Beats

1. In the Terminal in the /Applications/Utilities/filebeat directory
2. Check the configuration file is syntactically correct with this command:
   sudo /Applications/Utilities/filebeat/filebeat -c /Applications/Utilities/filebeat/filebeat.yml test config
3. Terminal should return "Config OK." Otherwise, correct errors and test again

Starting Beats

1. In the Terminal in the /Applications/Utilities/filebeat directory
2. Start the daemon:
   sudo ./filebeat -e -c filebeat.yml
3. Optional: you may use a plist file to enable starting filebeat at boot. Download this filebeat.plist file. Save it into the /Applications/Utilities/filebeat/ directory. As root, run this command in Terminal:
   launchctl load -w filebeat.plist 

Next steps

• You should be sending logs now.
• See Splunk Search Best Practices for information on how to see and search your logs.

Contact

• If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
• You can also reach us on #central_monitoring and #central_log on VT Slack