Securitynik on 2020-10-05 12:58:39
In this the sixth post in this series, we are looking at installing and securing Filebeat. The first post
, we installed Elasticsearc. In the second post
we installed Kibana while in the third post
we provided basic security to Elastic and Kibana. In the fourth post
, we installed, configured and secured Metricbeat. In the fifth post,
we installed, configured and secured Auditbeat
In this post, we use the apt package manager to install Filebeat similarly to how we installed Auditbeat. Note you could have also download the .deb file similarly to what was done with Metricbeat install
root@securitynik-monitoring:~# apt-get install filebeat
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 31.4 MB of archives.
After this operation, 112 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 filebeat amd64 7.9.2 [31.4 MB]
Fetched 31.4 MB in 2s (18.6 MB/s)
Selecting previously unselected package filebeat.
(Reading database ... 176095 files and directories currently installed.)
Preparing to unpack .../filebeat_7.9.2_amd64.deb ...
Unpacking filebeat (7.9.2) ...
Setting up filebeat (7.9.2) ...
Processing triggers for systemd (245.4-4ubuntu3.2) ...
With Filebeat installed, let's configure it. As always, I make a copy of the original file before editing it.
root@securitynik-monitoring:~# cd /etc/filebeat/
root@securitynik-monitoring:/etc/filebeat# cp filebeat.yml filebeat.yml.ORIGINAL
I then modified the entries to reflect below:
root@securitynik-monitoring:~# cat /etc/filebeat/filebeat.yml | grep --perl-regexp "^\s+host|^\s+username|^\s+password|^\s+protocol"
Finally, I copied the last eight lines from the Metricbeat configuration file into the file "filebeat.yml
root@securitynik-monitoring:~# tail --lines 8 /etc/metricbeat/metricbeat.yml >> /etc/filebeat/filebeat.yml
root@securitynik-monitoring:~# tail --lines 8 /etc/filebeat/filebeat.yml
# SSL Configuration enabled by Nik
Enable the "system
root@securitynik-monitoring:~# filebeat modules enable system
Load the Kibana dashboards
root@securitynik-monitoring:~# filebeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/elastic-stack-overview/current/xpack-ml.html
Loaded machine learning job configurations
Loaded Ingest pipelines
Cross our fingers and start Filebeat.
root@securitynik-monitoring:~# systemctl enable --now filebeat.service
Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service.
root@securitynik-monitoring:~# systemctl status filebeat.service
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/lib/systemd/system/filebeat.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-08-14 12:23:42 EDT; 23s ago
Main PID: 33756 (filebeat)
Tasks: 14 (limit: 4563)
└─33756 /usr/share/filebeat/bin/filebeat -environment systemd -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.d>
Looking to see if data is being received by Filebeat
With data now being received by Filebeat, let's now enable some modules we may need. Looking to see what modules exist.
root@securitynik-monitoring:~# filebeat modules list
Enabling the ones I believe I will need later. Additionally, in this post
, we installed Zeek on Ubuntu
. By enabling Zeek below, we can now ingest these logs into Elastic via Filebeat.
root@securitynik-monitoring:~# filebeat modules enable auditd elasticsearch iptables kibana netflow zeek
From the blog on Zeek
, the Zeek logs are stored in "/usr/local/zeek/etc/zeekctl.cfg
root@securitynik-monitoring:~# cat /usr/local/zeek/etc/zeekctl.cfg | grep LogDir
# Expiration interval for archived log files in LogDir. Files older than this
LogDir = /usr/local/zeek/logs
With the above in mind, I then created a "bro
" directory under "/var/logs/" and made a symbolic link to the currently configured Zeek log directory.
root@securitynik-monitoring:~# sudo mkdir /var/log/bro
root@securitynik-monitoring:~# sudo ln --symbolic /usr/local/zeek/logs/current /var/log/bro/
Next Zeek is configured to store its logs in JSON format
root@securitynik-monitoring:~# echo "@load policy/tuning/json-logs.zeek" >> /usr/local/zeek/share/zeek/site/local.zeek
Note at this point you may have to restart Zeek and or Filebeat.
Below we see that Zeek's data is being received successfully.
Let's now look at other data received by Filebeat.
With that out of the way, let's move on to installing, configuring and securing Packetbeat.
Posts in this series: