Introduction
- These instructions are specific to our environment
- Messages, system, install and Filebeat logs will be sent
- If you have other services to log, contact CLS for details and a custom template
- Prerequisites: Terminal, vi or plain text editor, administrative account with root access
Instructions
Installing Beats
- Open Terminal and switch to root
sudo su - - Download filebeat with this command:
sudo curl -L -O curl -L -Ocurl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.6.2-darwin-x86_64.tar.gz tar xzvf filebeat-8.6.2-darwin-x86_64.tar.gz
- Rename the new directory and move it to /Applications/Utilities with this command:
sudo mv filebeat-8.6.2-darwin-x86_64 /Applications/Utilities/filebeat/ - Delete the compressed filebeat:
sudo rm filebeat-8.6.2-darwin-x86_64.tar.gz - Using a web browser, download this certificate and copy to the /Applications/Utilities/filebeat folder:
Configuring Beats
- Download and copy this config file (filebeat.yml) into Applications/Utilities/filebeat, replacing the existing file
- Open the filebeat.yml file you downloaded from /Applications/Utilities/filebeat/ with a plain text editor or vi
- There are two changes you need to make to filebeat.yml
- This line appears twice and must be edited in both locations: index: "vt_logstash"
- Replace "vt_logstash" with the index name that was created in your consultation with CLS
- Do not change the indenting in the yml file
- Save and close filebeat.yml
- Set root as the owner for this file:
- sudo chown root /Applications/Utilities/filebeat/filebeat.yml
Testing Beats
- In the Terminal in the /Applications/Utilities/filebeat directory
- Check the configuration file is syntactically correct with this command:
sudo /Applications/Utilities/filebeat/filebeat -c /Applications/Utilities/filebeat/filebeat.yml test config - Terminal should return "Config OK." Otherwise, correct errors and test again
Starting Beats
- In the Terminal in the /Applications/Utilities/filebeat directory
- Start the daemon:
sudo ./filebeat -e -c filebeat.yml
Next steps
- You should be sending logs now.
- See Splunk Search Best Practices for information on how to see and search your logs.
Contact
- If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
- You can also reach us on #central_monitoring and #central_log on VT Slack