{"id":8586,"date":"2021-04-17T00:10:24","date_gmt":"2021-04-16T21:10:24","guid":{"rendered":"https:\/\/kifarunix.com\/?p=8586"},"modified":"2024-03-18T23:00:50","modified_gmt":"2024-03-18T20:00:50","slug":"install-filebeat-on-freebsd","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-filebeat-on-freebsd\/","title":{"rendered":"Install Filebeat on FreeBSD"},"content":{"rendered":"\n

Follow through this guide to learn how to install Filebeat on FreeBSD.<\/p>\n\n\n\n

Installing Filebeat on FreeBSD<\/h2>\n\n\n\n

Filebeat is not available on the default FreeBSD repositories but can be installed from FreeBSD ports.<\/p>\n\n\n\n

We use FreeBSD 13.0 in this setup;<\/p>\n\n\n\n

freebsd-version<\/code><\/pre>\n\n\n\n
13.0-RELEASE<\/code><\/pre>\n\n\n\n
Install Ports Collection on FreeBSD<\/h3>\n\n\n\n
To use ports to install software in FreeBSD, you need to install portsnap<\/strong><\/code>. Portsnap is a fast and user-friendly tool for retrieving the Ports Collection. It connects to a FreeBSD site, verifies the secure key, and downloads a new copy of the Ports Collection.<\/p>\n\n\n\n
Thus, to install Ports run system update and upgrade<\/p>\n\n\n\n
pkg update<\/code><\/pre>\n\n\n\n
pkg upgrade -f<\/code><\/pre>\n\n\n\n
Download a compressed snapshot of the Ports Collection. The snapshot will be stored under \/var\/db\/portsnap<\/strong>.<\/p>\n\n\n\n
portsnap fetch<\/code><\/pre>\n\n\n\n
Once the command above completes, extract. This can only be done if the snapshot was being fetched for the first time.<\/p>\n\n\n\n
portsnap extract<\/code><\/pre>\n\n\n\n
The ports are extracted and stored under to \/usr\/ports<\/strong>.<\/p>\n\n\n\n
If the Ports Collection snapshot has already been downloaded before, you can simply update it by running the commands below;<\/p>\n\n\n\n
portsnap fetch<\/code><\/pre>\n\n\n\n
portsnap update<\/code><\/pre>\n\n\n\n
You can however run this as a single command;<\/p>\n\n\n\n
portsnap fetch update<\/code><\/pre>\n\n\n\n
Installing Filebeat on FreeBSD<\/h3>\n\n\n\n
To install Filebeat, navigate to beats7 ports directory;<\/p>\n\n\n\n
cd \/usr\/ports\/sysutils\/beats7<\/code><\/pre>\n\n\n\n
Next, you can install Filebeat from FreeBSD beats ports by running the command below;<\/p>\n\n\n\n
make install clean<\/code><\/pre>\n\n\n\n
The command can be used to install various Elastic beats including Filebeat, metricsbeat, packetbeat and heartbeat.<\/p>\n\n\n\n
Therefore, since we are installing Filebeat on FreeBSD, we select only Filebeat from the provided options. Select and deselect using space bar.<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
Once selected, press ENTER to proceed with installation of Filebeat on FreeBSD.<\/p>\n\n\n\n
If you noticed, this is gonna install Filebeat 7.10.1;<\/p>\n\n\n\n
====> Compressing man pages (compress-man)\n===> Staging rc.d startup script(s)\n===>  Installing for beats7-7.10.1\n===>  Checking if beats7 is already installed\n===>   Registering installation for beats7-7.10.1\nInstalling beats7-7.10.1...<\/code><\/pre>\n\n\n\n
Configuring Filebeat on FreeBSD<\/h3>\n\n\n\n
The filebeat configuration files are placed under, \/usr\/local\/etc\/beats\/<\/strong><\/code>. In this directory, you can find filebeat sample configuration and the modules directory;<\/p>\n\n\n\n
ls \/usr\/local\/etc\/beats\/<\/code><\/pre>\n\n\n\n
filebeat.modules.d\tfilebeat.yml.reference\tfilebeat.yml.sample<\/code><\/pre>\n\n\n\n
The Filebeat binary is located under \/usr\/local\/sbin\/filebeat<\/strong><\/code>.<\/p>\n\n\n\n
To configure Filebeat, just rename the sample configuration file.<\/p>\n\n\n\n
cp \/usr\/local\/etc\/beats\/filebeat.yml{.sample,}<\/code><\/pre>\n\n\n\n
You can now open the \/usr\/local\/etc\/beats\/filebeat.yml<\/strong><\/code> for editing.<\/p>\n\n\n\n
vim \/usr\/local\/etc\/beats\/filebeat.yml<\/code><\/pre>\n\n\n\n
Configure Filebeat inputs<\/h4>\n\n\n\n
You can choose to read the log files directly by enabling the type: log<\/strong> input like as shown below;<\/p>\n\n\n\n
# filestream is an experimental input. It is going to replace log input in the future.\n- type: filestream\n\n  # Change to true to enable this input configuration.\n  enabled: true\n\n  # Paths that should be crawled and fetched. Glob based paths.\n  paths:\n    - \/var\/log\/*.log<\/code><\/pre>\n\n\n\n
Or simply use Filebeat modules.<\/p>\n\n\n\n
For example, to enable Filebeat system module;<\/p>\n\n\n\n
cd \/usr\/local\/etc\/beats<\/code><\/pre>\n\n\n\n
List available modules;<\/p>\n\n\n\n
filebeat modules list<\/code><\/pre>\n\n\n\n
Enabled:\n\nDisabled:\napache\nauditd\nelasticsearch\nhaproxy\nicinga\niis\nkafka\nkibana\nlogstash\nmongodb\nmysql\nnats\nnginx\nosquery\npostgresql\nredis\nsanta\nsystem\ntraefik<\/code><\/pre>\n\n\n\n
As you can see, none is enabled by default. Let us enable the system module;<\/p>\n\n\n\n
filebeat modules enable system<\/code><\/pre>\n\n\n\n
Sample output;<\/p>\n\n\n\n
Enabled system<\/code><\/pre>\n\n\n\n
The Filebeat system modules read system logs from the default system location and this is how the its configuration file looks like;<\/p>\n\n\n\n
less \/usr\/local\/etc\/beats\/filebeat.modules.d\/system.yml<\/code><\/pre>\n\n\n\n
# Module: system\n# Docs: https:\/\/www.elastic.co\/guide\/en\/beats\/filebeat\/7.10\/filebeat-module-system.html\n\n- module: system\n  # Syslog\n  syslog:\n    enabled: true\n\n    # Set custom paths for the log files. If left empty,\n    # Filebeat will choose the paths depending on your OS.\n    #var.paths:\n\n  # Authorization logs\n  auth:\n    enabled: true\n\n    # Set custom paths for the log files. If left empty,\n    # Filebeat will choose the paths depending on your OS.\n    #var.paths:<\/code><\/pre>\n\n\n\n
Configure Filebeat Output<\/h4>\n\n\n\n
Next, configure Filebeat to sent event data to Elastic stack. Filebeat can ship logs directly to Elasticsearch or to Logstash or other outputs<\/a>. The Filebeat output is defined on the Filebeat configuration file, \/usr\/local\/etc\/beats\/filebeat.yml<\/code><\/strong>.<\/p>\n\n\n\n
Elasticsearch Output<\/h5>\n\n\n\n
To send event data or event logs directly to Elasticsearch, open the configuration file and define Elasticsearch output as follows;<\/p>\n\n\n\n
vi \/usr\/local\/etc\/beats\/filebeat.yml<\/code><\/pre>\n\n\n\n
Elasticsearch is the default output. All you need to do is update the IP address, Elasticsearch, which is set to localhost by default;<\/p>\n\n\n\n
...\n#================================ Outputs =====================================\n \n# Configure what output to use when sending the data collected by the beat.\n \n#-------------------------- Elasticsearch output ------------------------------\noutput.elasticsearch:\n  # Array of hosts to connect to.\n  #hosts: [\"localhost:9200\"]\n  hosts: [\"192.168.57.20:9200\"]<\/strong>\n...<\/code><\/pre>\n\n\n\n
Logstash Output<\/h5>\n\n\n\n
If you are instead pushing event data to Logstash, comment out the Elasticsearch output and define Logstash output as shown below;<\/p>\n\n\n\n
#================================ Outputs =====================================\n \n# Configure what output to use when sending the data collected by the beat.\n \n#-------------------------- Elasticsearch output ------------------------------\n#output.elasticsearch:\n  # Array of hosts to connect to.\n  #hosts: [\"localhost:9200\"]<\/strong>\n \n  # Protocol - either `http` (default) or `https`.\n  #protocol: \"https\"\n \n  # Authentication credentials - either API key or username\/password.\n  #api_key: \"id:api_key\"\n  #username: \"elastic\"\n  #password: \"changeme\"\n \n#----------------------------- Logstash output --------------------------------\noutput.logstash:\n<\/strong>  # The Logstash hosts\n  #hosts: [\"localhost:5044\"]\n  hosts: [\"192.168.57.20:5044\"]<\/strong><\/code><\/pre>\n\n\n\n
Save and exit the file.<\/p>\n\n\n\n
For each output chosen, ensure that the ports are reachable. For example you can verify connection to Logstash;<\/p>\n\n\n\n
telnet 192.168.57.20 5044<\/code><\/pre>\n\n\n\n
Trying 192.168.57.20...\nConnected to 192.168.57.20.\nEscape character is '^]'.<\/code><\/pre>\n\n\n\n
Similarly, if you are using Elasticsearch directly, ensure that you can reach port 9200\/tcp<\/code><\/strong>.<\/p>\n\n\n\n
telnet 192.168.57.20 9200<\/code><\/pre>\n\n\n\n
Trying 192.168.57.20...\nConnected to 192.168.57.20.\nEscape character is '^]'.<\/code><\/pre>\n\n\n\n
Test Filebeat Output Destination Connection<\/h4>\n\n\n\n
Verify that Filebeat can connect to the output destination you have chosen.<\/p>\n\n\n\n
To test output connection using the current configuration settings;<\/p>\n\n\n\n
filebeat test output -c \/usr\/local\/etc\/beats\/filebeat.yml<\/code><\/pre>\n\n\n\n
Sample output;<\/p>\n\n\n\n
elasticsearch: http:\/\/192.168.57.20:9200...\n  parse url... OK\n  connection...\n    parse host... OK\n    dns lookup... OK\n    addresses: 192.168.57.20\n    dial up... OK\n  TLS... WARN secure connection disabled\n  talk to server... OK\n  version: 7.10.0<\/code><\/pre>\n\n\n\n
As you can see, our filebeat can connect to our Elasticsearch output.<\/p>\n\n\n\n
Test Filebeat Configuration file<\/h4>\n\n\n\n
To ensure that there is no syntax issues on the current Filebeat configuration file, run the command below;<\/p>\n\n\n\n
filebeat test config -c \/usr\/local\/etc\/beats\/filebeat.yml<\/code><\/pre>\n\n\n\n
If you get the output, Config OK<\/code><\/strong>, then you are good to go.<\/p>\n\n\n\n
Load the Filebeat index template in Elasticsearch<\/h4>\n\n\n\n
If you are sending data directly to Elasticsearch, Filebeat will load the template automatically after successfully connecting to Elasticsearch.<\/p>\n\n\n\n
However, if you are using Logstash as the event data process engine, you need to manually load the index template into Elasticsearch. Hence, ensure that there a connection to Elasticsearch before you can load the index template.<\/p>\n\n\n\n
If all is well., load the template.<\/p>\n\n\n\n
filebeat setup -c \/usr\/local\/etc\/beats\/filebeat.yml --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=[\"192.168.57.20:9200\"]'<\/code><\/pre>\n\n\n\n
If you see the output, Index setup finished<\/strong>, template load was successful.<\/p>\n\n\n\n
If the host doesn\u2019t have direct connectivity to Elasticsearch, you can generate the index template, copy it to Elastic Stack Server and install it locally.<\/p>\n\n\n\n
To generate the template;<\/p>\n\n\n\n
filebeat -c \/usr\/local\/etc\/beats\/filebeat.yml export template > filebeat.template.json<\/code><\/pre>\n\n\n\n
To install the template on Elastic Stack server, copy it (filebeat.template.json) and load locally on Elasticsearch server.<\/p>\n\n\n\n
curl -XPUT -H 'Content-Type: application\/json' http:\/\/192.168.57.20:9200\/_template\/filebeat-7.10.1 -d@filebeat.template.json<\/code><\/pre>\n\n\n\n
If loaded successfully, you should get such an output, {\"acknowledged\":true}<\/strong><\/code>.<\/p>\n\n\n\n
Running Filebeat on FreeBSD<\/h4>\n\n\n\n
You can run Filebeat in debug mode using the command below;<\/p>\n\n\n\n
filebeat -e -c \/usr\/local\/etc\/beats\/filebeat.yml --path.config \/usr\/local\/etc\/beats\/ --path.home \/usr\/local\/share\/beats\/filebeat\/ --path.data \/var\/db\/beats\/filebeat --path.logs \/var\/log\/beats<\/code><\/pre>\n\n\n\n
The filebeat will start to harvest the system logs and sent them to the output defined.<\/p>\n\n\n\n
You should see such a line;<\/p>\n\n\n\n
...\n2021-04-16T12:47:08.990+0300\tINFO\t[registrar]\tregistrar\/registrar.go:109\tStates Loaded from registrar: 2\n2021-04-16T12:47:08.990+0300\tINFO\t[crawler]\tbeater\/crawler.go:71\tLoading Inputs: 2\n2021-04-16T12:47:08.992+0300\tINFO\tlog\/input.go:157\tConfigured paths: [\/var\/log\/auth.log* \/var\/log\/secure*]\n2021-04-16T12:47:08.992+0300\tINFO\tlog\/input.go:157\tConfigured paths: [\/var\/log\/messages* \/var\/log\/syslog*]\n2021-04-16T12:47:08.992+0300\tINFO\t[crawler]\tbeater\/crawler.go:108\tLoading and starting Inputs completed. Enabled inputs: 0\n2021-04-16T12:47:08.992+0300\tINFO\tcfgfile\/reload.go:164\tConfig reloader started\n2021-04-16T12:47:08.995+0300\tINFO\tlog\/input.go:157\tConfigured paths: [\/var\/log\/auth.log* \/var\/log\/secure*]\n2021-04-16T12:47:08.995+0300\tINFO\tlog\/input.go:157\tConfigured paths: [\/var\/log\/messages* \/var\/log\/syslog*]\n2021-04-16T12:47:08.995+0300\tINFO\teslegclient\/connection.go:99\telasticsearch url: http:\/\/192.168.57.20:9200\n...\n...\n2021-04-16T12:48:27.496+0300\tINFO\t[publisher_pipeline_output]\tpipeline\/output.go:151\tConnection to backoff(elasticsearch(http:\/\/192.168.57.20:9200)) established<\/strong><\/code><\/pre>\n\n\n\n
Well, if you see such errors as;<\/p>\n\n\n\n
2021-04-16T12:45:39.840+0300\tERROR\tinstance\/metrics_file_descriptors.go:39\tError while retrieving FD information: error retrieving process stats: cannot find matching process for pid=90737\n2021-04-16T12:45:39.840+0300\tERROR\tinstance\/metrics.go:98\tError while getting memory usage: error retrieving process stats: cannot find matching process for pid=90737\n2021-04-16T12:45:39.840+0300\tERROR\tinstance\/metrics.go:142\tError retrieving CPU percentages: error retrieving process stats: cannot find matching process for pid=90737<\/code><\/pre>\n\n\n\n
You can disable metrics monitoring;<\/p>\n\n\n\n
echo \"logging.metrics.enabled: false\" >> \/usr\/local\/etc\/beats\/filebeat.yml<\/code><\/pre>\n\n\n\n
Running Filebeat as Service on FreeBSD<\/h4>\n\n\n\n
Enable Filebeat to run on system boot and <\/p>\n\n\n\n
You can run Filebeat as service using the command below;<\/p>\n\n\n\n
sysrc filebeat_enable=\"YES\"<\/code><\/pre>\n\n\n\n
Start Filebeat on FreeBSD;<\/p>\n\n\n\n
service filebeat start<\/code><\/pre>\n\n\n\n
Check the logs;<\/p>\n\n\n\n
tail -f \/var\/log\/beats\/filebeat<\/code><\/pre>\n\n\n\n
2021-04-16T13:00:07.421+0300\tINFO\t[index-management.ilm]\tilm\/std.go:139\tdo not generate ilm policy: exists=true, overwrite=false\n2021-04-16T13:00:07.421+0300\tINFO\t[index-management]\tidxmgmt\/std.go:274\tILM policy successfully loaded.\n2021-04-16T13:00:07.421+0300\tINFO\t[index-management]\tidxmgmt\/std.go:407\tSet setup.template.name to '{filebeat-7.10.1 {now\/d}-000001}' as ILM is enabled.\n2021-04-16T13:00:07.421+0300\tINFO\t[index-management]\tidxmgmt\/std.go:412\tSet setup.template.pattern to 'filebeat-7.10.1-*' as ILM is enabled.\n2021-04-16T13:00:07.421+0300\tINFO\t[index-management]\tidxmgmt\/std.go:446\tSet settings.index.lifecycle.rollover_alias in template to {filebeat-7.10.1 {now\/d}-000001} as ILM is enabled.\n2021-04-16T13:00:07.421+0300\tINFO\t[index-management]\tidxmgmt\/std.go:450\tSet settings.index.lifecycle.name in template to {filebeat {\"policy\":{\"phases\":{\"hot\":{\"actions\":{\"rollover\":{\"max_age\":\"30d\",\"max_size\":\"50gb\"}}}}}}} as ILM is enabled.\n2021-04-16T13:00:07.422+0300\tINFO\ttemplate\/load.go:97\tTemplate filebeat-7.10.1 already exists and will not be overwritten.\n2021-04-16T13:00:07.422+0300\tINFO\t[index-management]\tidxmgmt\/std.go:298\tLoaded index template.\n2021-04-16T13:00:07.424+0300\tINFO\t[index-management]\tidxmgmt\/std.go:309\tWrite alias successfully generated.\n2021-04-16T13:00:07.429+0300\tINFO\t[publisher_pipeline_output]\tpipeline\/output.go:151\tConnection to backoff(elasticsearch(http:\/\/192.168.57.20:9200)) established<\/code><\/pre>\n\n\n\n
Verify Elasticsearch Index Data Reception<\/h3>\n\n\n\n
Next, login to Elastic stack server and verify data reception.<\/p>\n\n\n\n
curl -X GET 192.168.57.20:9200\/_cat\/indices?v<\/code><\/pre>\n\n\n\n
health status index                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size\nyellow open   filebeat-7.10.1-2021.04.16-000001 CbQmXaRzQ4G9n1wldgvwbg   1   1       1022            0    222.2kb        222.2kb<\/strong>\ngreen  open   .apm-custom-link                  YUZ3YLcBRqqA16bFXrPWEg   1   0          0            0       208b           ...<\/code><\/pre>\n\n\n\n
After that, proceed to the Kibana and Create Index Pattern<\/strong>. and check your index data on Discover;<\/p>\n\n\n\n
I have simulated some few authentication events as evident here;<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If you have already loaded the default dashboards, you should be able to visualize authentication events on dashboard.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
And that marks our end on how to install Filebeat.<\/p>\n\n\n\n
Other Tutorials<\/h3>\n\n\n\n
How to run Multiple Filebeat Instances in Linux<\/a><\/p>\n\n\n\n
Easy way to configure Filebeat-Logstash SSL\/TLS Connection<\/a><\/p>\n\n\n\n
Install and Configure Filebeat on CentOS 8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Follow through this guide to learn how to install Filebeat on FreeBSD. Installing Filebeat on FreeBSD Filebeat is not available on the default FreeBSD repositories<\/p>\n","protected":false},"author":1,"featured_media":8676,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[72,910,280,121],"tags":[922,3448,3447,1063,3446,3445,3450,3449],"class_list":["post-8586","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-monitoring","category-elastic-stack","category-freebsd","category-howtos","tag-filebeat","tag-filebeat-elasticsearch-output","tag-filebeat-on-freebsd","tag-freebsd","tag-freebsd-filebeat","tag-install-filebeat-on-freebsd","tag-test-filebeat-config","tag-test-filebeat-output","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8586"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=8586"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8586\/revisions"}],"predecessor-version":[{"id":21841,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/8586\/revisions\/21841"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8676"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=8586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=8586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=8586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}