Central Log Service (CLS) for OS X


Introduction

  • These instructions are specific to our environment
  • Messages, system, install and Filebeat logs will be sent
  • If you have other services to log, contact CLS for details and a custom template
  • Prerequisites: Terminal, vi or plain text editor, administrative account with root access

Instructions

Installing Beats

  1. Open Terminal and switch to root
    sudo su -
  2. Download filebeat with this command:
    sudo curl -L -O curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.4.1-darwin-x86_64.tar.gz tar xzvf filebeat-8.4.1-darwin-x86_64.tar.gz
  3. Rename the new directory and move it to /Applications/Utilities with this command:
    sudo mv filebeat-8.4.1-darwin-x86_64 /Applications/Utilities/filebeat/
  4. Delete the compressed filebeat:
    sudo rm filebeat-8.4.1-darwin-x86_64.tar.gz
  5. Using a web browser, download this certificate and copy to the /Applications/Utilities/filebeat folder:
    1. incommon_tls_chain.pem (from www.pki.vt.edu)

Configuring Beats

  1. Download and copy this config file (filebeat.yml) into Applications/Utilities/filebeat, replacing the existing file
  2. Open the filebeat.yml file you downloaded from /Applications/Utilities/filebeat/ with a plain text editor or vi
  3. In the Filebeat Inputs filestream section, edit the following:
    1. id: my-filestream-id - replace my-filestream-id with a name of your choice such as "endpoint filestream" or "web server filestream"
  4. in the Filebeat inputs fields section, edit the values for the following fields:
    1. tier: "tier" - replace with tier: "prod", tier: "dev", tier: "pprd" or tier: "endpoint" as appropriate
    2. name: "service name" - replace "service name" with a name of your choice that describes what the device does, such as "Mac laptop" or "Apache web server"
    3. service_id: "edu.vt.org.service.name" - replace with an id of your choice that describes your service, such as service_id: "edu.vt.hokies.webserver" or "edu.vt.hokies.workstation"
    4. host: "host-name" - replace "host-name" with a short version of the device's name or its Fully Qualified Domain Name, such as host: "HOKIES-JDOE-MBP" or host: "webserver1.hokies.vt.edu"
    5. index: "vt_logstash" - replace "vt_logstash" with the index name that was created in your consultation with CLS
  5. Save and close filebeat.yml
  6. Set root as the owner for these files:
    1. sudo chown root /Applications/Utilities/filebeat/filebeat.yml
    2. sudo chown root /Applications/Utilities/filebeat/module/system/syslog/manifest.yml
    3. sudo chown root /Applications/Utilities/filebeat/modules.d/system.yml
    4. sudo chown root /Applications/Utilities/filebeat/module/system/auth/manifest.yml

Testing Beats

  1. In the Terminal in the /Applications/Utilities/filebeat directory
  2. Check the configuration file is syntactically correct with this command:
    sudo /Applications/Utilities/filebeat/filebeat -c /Applications/Utilities/filebeat/filebeat.yml test config
  3. Terminal should return "Config OK." Otherwise, correct errors and test again

Starting Beats

  1. In the Terminal in the /Applications/Utilities/filebeat directory
  2. Enable the system module to run:
    sudo ./filebeat modules enable system
  3. Start the daemon:
    sudo ./filebeat -e -c filebeat.yml

Next steps

Contact

  • If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
  • You can also reach us on #central_monitoring and #central_log on VT Slack