Elasticsearch Filebeat

Video Lecture

Elasticsearch Filebeat Elasticsearch Filebeat Elasticsearch Filebeat


I demonstrate how to setup a Filebeat service to read systemd logs.

Filebeat download instructions can be found at https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html#installation

I downloaded the debian package manager version.

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.0-amd64.deb
sudo dpkg -i filebeat-7.10.0-amd64.deb
cd /etc/filebeat
ls -lh
sudo nano /etc/filebeat/filebeat.yml

Enable a module for Filebeat to run.

Get a list.

filebeat modules list

I enable the system module

filebeat modules enable system
sudo service filebeat start
sudo service filebeat status

You can also disable a module

filebeat modules disable system

If you enable/disable a module, then restart Filebeat.

sudo service filebeat restart
sudo service filebeat status

Since my filebeat service is running on a different server on the internet, and my Elasticsearch server is IP restricted, I will need to add a new rule on my Elasticsearch server to allow my filebeat service to post data to it.

So on my Elasticsearch server, I get the iptables rules line numbers.

iptables -L --line-numbers

I insert the new rule for my IP before the DROP rule.

iptables -I INPUT 2 -p tcp -s x.x.x.x --dport 9200 -j ACCEPT

Persist changes.

iptables-save > /etc/iptables/rules.v4

Now we can set up a new data source in Grafana, or modify the existing and test it using the explore tab.

IPTables Cheatsheet