Elasticsearch Filebeat
Video Lecture
Description
I demonstrate how to setup a Filebeat service to read systemd logs.
Filebeat download instructions can be found at https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html#installation
I downloaded the debian package manager version.
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.0-amd64.deb sudo dpkg -i filebeat-7.10.0-amd64.deb
cd /etc/filebeat ls -lh
sudo nano /etc/filebeat/filebeat.yml
Enable a module for Filebeat to run.
Get a list.
filebeat modules list
I enable the system module
filebeat modules enable system
sudo service filebeat start sudo service filebeat status
You can also disable a module
filebeat modules disable system
If you enable/disable a module, then restart Filebeat.
sudo service filebeat restart sudo service filebeat status
Since my filebeat service is running on a different server on the internet, and my Elasticsearch server is IP restricted, I will need to add a new rule on my Elasticsearch server to allow my filebeat service to post data to it.
So on my Elasticsearch server, I get the iptables rules line numbers.
iptables -L --line-numbers
I insert the new rule for my IP before the DROP rule.
iptables -I INPUT 2 -p tcp -s x.x.x.x --dport 9200 -j ACCEPT
Persist changes.
iptables-save > /etc/iptables/rules.v4
Now we can set up a new data source in Grafana, or modify the existing and test it using the explore tab.