• These instructions are specific to our environment
• Messages, system, install and Filebeat logs will be sent
• If you have other services to log, contact CLS for details and a custom template
• Prerequisites: Terminal, vi or plain text editor, administrative account with root access

Installing Beats

1. Open Terminal and switch to root
   sudo su -
2. Download filebeat with this command:
   sudo curl -L -O curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.4.1-darwin-x86_64.tar.gz tar xzvf filebeat-8.4.1-darwin-x86_64.tar.gz
3. Rename the new directory and move it to /Applications/Utilities with this command:
   sudo mv filebeat-8.4.1-darwin-x86_64 /Applications/Utilities/filebeat/
4. Delete the compressed filebeat:
   sudo rm filebeat-8.4.1-darwin-x86_64.tar.gz
5. Using a web browser, download this certificate and copy to the /Applications/Utilities/filebeat folder:
   
   1. incommon_tls_chain.pem (from www.pki.vt.edu)

Configuring Beats

1. Download and copy this config file (filebeat.yml) into Applications/Utilities/filebeat, replacing the existing file
2. Open the filebeat.yml file you downloaded from /Applications/Utilities/filebeat/ with a plain text editor or vi
3. In the Filebeat Inputs filestream section, edit the following:
   
   1. id: my-filestream-id - replace my-filestream-id with a name of your choice such as "endpoint filestream" or "web server filestream"
4. in the Filebeat inputs fields section, edit the values for the following fields:
   
   1. tier: "tier" - replace with tier: "prod", tier: "dev", tier: "pprd" or tier: "endpoint" as appropriate
   2. name: "service name" - replace "service name" with a name of your choice that describes what the device does, such as "Mac laptop" or "Apache web server"
   3. service_id: "edu.vt.org.service.name" - replace with an id of your choice that describes your service, such as service_id: "edu.vt.hokies.webserver" or "edu.vt.hokies.workstation"
   4. host: "host-name" - replace "host-name" with a short version of the device's name or its Fully Qualified Domain Name, such as host: "HOKIES-JDOE-MBP" or host: "webserver1.hokies.vt.edu"
   5. index: "vt_logstash" - replace "vt_logstash" with the index name that was created in your consultation with CLS
5. Save and close filebeat.yml
6. Set root as the owner for these files:
   
   1. sudo chown root /Applications/Utilities/filebeat/filebeat.yml
   2. sudo chown root /Applications/Utilities/filebeat/module/system/syslog/manifest.yml
   3. sudo chown root /Applications/Utilities/filebeat/modules.d/system.yml
   4. sudo chown root /Applications/Utilities/filebeat/module/system/auth/manifest.yml

Testing Beats

1. In the Terminal in the /Applications/Utilities/filebeat directory
2. Check the configuration file is syntactically correct with this command:
   sudo /Applications/Utilities/filebeat/filebeat -c /Applications/Utilities/filebeat/filebeat.yml test config
3. Terminal should return "Config OK." Otherwise, correct errors and test again

Starting Beats

1. In the Terminal in the /Applications/Utilities/filebeat directory
2. Enable the system module to run:
   sudo ./filebeat modules enable system
3. Start the daemon:
   sudo ./filebeat -e -c filebeat.yml

Next steps

• You should be sending logs now.
• See Splunk Search Best Practices for information on how to see and search your logs.

Contact

• If you have questions or would like to schedule an introduction to Splunk via Zoom, please open a ticket mentioning CLS and we'd be glad to help
• You can also reach us on #central_monitoring and #central_log on VT Slack