Filebeat – Collecting and Forwarding Windows Event Logs.

Filebeat is a lightweight log shipper developed by Elastic, commonly used in the Elastic Stack (ELK Stack) to collect logs from various sources and forward them to Elasticsearch, Logstash, or other storage systems.

Let's start by adding Elastic’s GPG key to verify the packages:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg

We need to add the Elastic repository to system:

echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

Next, let's update the package list and install Filebeat.

sudo apt update && sudo apt install filebeat

The next step is to open the Filebeat configuration file filebeat.yml

sudo nano /etc/filebeat/filebeat.yml

Make sure that Filebeat is value enabled: true and read logs from system logs (/var/log/*.log)

Now we need to edit the file also to send logs directly to Elasticsearch.

Next, we need to start the Filebeat service and configure it to launch automatically at system startup.

sudo systemctl start filebeat
sudo systemctl enable filebeat
sudo systemctl status filebeat

Check the Filebeat configuration for any errors.

sudo filebeat test config

Next, check test the connection to Elasticsearch by running.

sudo filebeat test output

Let's verify whether the logs are being displayed in ELK.