Using FileBeat with GrayLog

We can use FileBeat as our log collectors for our newly created GrayLog server. We can install FileBeat on any system we want our logs to be pushed from.

Configuring Inputs in GrayLog

Set up a new ‘Beats’ input in GrayLog. Enter a ‘Title’ and ensure the port to listen on is ‘5044’.

Installing File Beat

APT

To add the Beats repository for APT:

Download and install the Public Signing Key:

wget -qO -
https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

You may need to install the apt-transport-https package on Debian before proceeding:

sudo apt-get install
apt-transport-https

Save the repository definition to /etc/apt/sources.list.d/elastic-6.x.list:

echo "deb
https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a
/etc/apt/sources.list.d/elastic-6.x.list

Run apt-get update, and the repository is ready for use. For example, you can install Filebeat by running:

sudo apt-get update
&& sudo apt-get install filebeat

To configure Filebeat to start automatically during boot, run:

sudo update-rc.d filebeat
defaults 95 10

YUM

To add the Beats repository for YUM:

Download and install the public signing key:

sudo rpm --import
https://packages.elastic.co/GPG-KEY-elasticsearch

Create a file with a .repo extension (for example, elastic.repo) in your /etc/yum.repos.d/directory and add the following lines:[

[elastic-6.x] name=Elastic repository for 6.x packages baseurl=https://artifacts.elastic.co/packages/6.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md

Your repository is ready to use. For example, you can install Filebeat by running:

sudo yum install
filebeat

To configure the Beat to start automatically during boot, run:

sudo chkconfig --add
filebeat

Configuring Filebeat

Edit the filebeat.yml config file:

nano /etc/filebeat/filebeat.yml

Under filebeat.inputs enter the paths for the logs that will be pushed to GrayLog

#================= Filebeat inputs =================

filebeat.inputs:

# Each – is an input. Most options can be set at the input level, so

# you can use different inputs for various configurations.

# Below are the input specific configurations.

– type: log

  # Change to true to enable this input configuration.

  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.

  paths:

    – /var/log/*.log

Next edit the Logstash output host variable:

#—————————– Logstash output ——————————–

output.logstash:

  # The Logstash hosts

  hosts: [“137.116.47.167:5044“]

  # Optional SSL. By default is off.

  # List of root certificates for HTTPS server verifications

  #ssl.certificate_authorities: [“/etc/pki/root/ca.pem”]

  # Certificate for SSL client authentication

  #ssl.certificate: “/etc/pki/client/cert.pem”

  # Client Certificate Key

  #ssl.key: “/etc/pki/client/cert.key”

Start and enable Filebeat

systemctl enable filebeat
systemctl restart filebeat

Going back to the inputs you should start seeing Network IO. Logs should start appearing into Graylog.