Skip to main content
All CollectionsSIEMAgentsLinux
How to install filebeat on Linux
How to install filebeat on Linux

This guide will walk you through installing the filebeat agent on Linux, for use with our SIEM service.

Matthew Elliott avatar
Written by Matthew Elliott
Updated over a year ago

Filebeat is an agent that collects data from various log files on Linux machines and sends them to our SIEM platform for storage and analysis. This software is different from the log collector we asked you to configure in this guide.

During your SIEM onboarding, our Platform Engineering team will send you a deployment pack containing all of the software you need for us to start collecting your logs. This pack will contain a folder called filebeat, which is what you'll need for this guide.

Install scripts are provided for both CentOS/RHEL and Ubuntu/Debian. The correct script for your operating system should be copied to the target server, made executable, and run as root. For example, on a machine running CentOS:

# Make the script executable
sudo chmod +x filebeat-install-centos.sh
# Run the script
sudo ./filebeat-install-centos.sh


The script adds the correct repository for your operating system, installs filebeat, and sets the configuration files.

Once the script has finished, you'll need to edit one of the configuration files, to point it to the correct collector IP address. Run the below command to start editing (feel free to use your editor of choice if nano isn't for you)

nano /etc/filebeat/filebeat.yml

Find the Logstash output section of the file and change the below line, replacing localhost with the IP address of your collector:

  hosts: ["localhost:5044"]

Only the below log files/paths are monitored by default:

- /var/log/*.log

- /var/log/audit/audit.log

- /var/log/messages

- /var/log/secure

- /var/log/logstash/logstash-plain.log

Additional logs can be added under the Filebeat Bulletproof Configuration section of filebeat.yml. Each entry should be on a new line and be formatted the same as the existing logs.

Note: The file is white space sensitive and uses spaces, not tabs.

After making any config changes, always make sure you restart the service using the below command:

systemctl restart filebeat.service

And that's it! Filebeat should start forwarding logs to your collector and you can ask your Customer Success Executive to verify if we're receiving your logs.

Did this answer your question?