What is Filebeat?
=================
* aka "beats"
* ships logs to logstash
* installed on client side
* can send also data to kafka and redis
* written in go
* "filebeat" tails a log file
Filebeat Setup
==============
1. Install RPM package (filebeat)
2. Update setting file /etc/filebeat/filebeat.yml. Here is an example config:
3. Start filebeat: systemctl enable --now filebeat
4. You must not see any messages other than these below. If there are errors,
make sure logstash port is reachable from the servers.
And on the filebeat.log (if configured), you must see similar to this:
Beats Family
============
Filebeat and Metricbeat
=======================
Filebeat
- correctly handles log rotation
- back-pressure sensitive (ealasticsearch can still process even logs reading is fast)
- "at least one gurantee"
- structured logging (JSON)
- multi-line
- conditional filtering
- collects /var/log/messages or /var/log/syslog by default
Metricbeat
- captures host metrics (cpu, mem, network traffic, etc)\
commands:
./bin/filebeat module list
./bin/filebeat modules enable system
./bin/filebeat setup
./bin/filebeat -e
./bin/metricbeat module enable apache mysql
./bin/metricbeat test modules apache
Auditbeat
=========
- new in 6.0
- beats for auditing services and users on your system
- modules:
a. Linux Audit Framework module - access, ssh, user actions, etc
b. File Integrity module - monitor file changes
- receives events directly from the kernel via netlink sockets
1. collates messages
2. combnines related
3. parses
4. enriches
5. sends to elasticsearch
- alternative (no need to install auditd) or supplement to auditd
demo for file integrity module:
audibeat.yml
Monitoring containers and orchestration tool
============================================
modules available:
- docker
- kubernetes
Sources
=======
