Filebeat is an agent that collects data from various log files on Linux machines and sends them to our SIEM platform for storage and analysis. This software is different from the log collector we asked you to configure in this guide.

During your SIEM onboarding, our Platform Engineering team will send you a deployment pack containing all of the software you need for us to start collecting your logs. This pack will contain a folder called filebeat, which is what you'll need for this guide.

Install scripts are provided for both CentOS/RHEL and Ubuntu/Debian. The correct script for your operating system should be copied to the target server, made executable, and run as root. For example, on a machine running CentOS:

The script adds the correct repository for your operating system, installs filebeat, and sets the configuration files.

Once the script has finished, you'll need to edit one of the configuration files, to point it to the correct collector IP address. Run the below command to start editing (feel free to use your editor of choice if nano isn't for you)

Find the Logstash output section of the file and change the below line, replacing localhost with the IP address of your collector:

Only the below log files/paths are monitored by default:

- /var/log/*.log

- /var/log/audit/audit.log

- /var/log/messages

- /var/log/secure

- /var/log/logstash/logstash-plain.log

Additional logs can be added under the Filebeat Bulletproof Configuration section of filebeat.yml. Each entry should be on a new line and be formatted the same as the existing logs.

Note: The file is white space sensitive and uses spaces, not tabs.

After making any config changes, always make sure you restart the service using the below command:

And that's it! Filebeat should start forwarding logs to your collector and you can ask your Customer Success Executive to verify if we're receiving your logs.