📒
Book of VanLuong
  • 👨‍💻About the Author
  • Cryptanalysis
    • RSA & RSA ATTACK
    • DES (Data Encryption Standard)
    • AES (Advanced Encryption Standard)
    • ECC ( Elliptic Curve of Cryptography)
    • Group-based Cryptography
    • Lattice-based Cryptography
    • ChaCha20-Poly1305
    • Hash Function
    • Wargame CTF
  • Windows
    • 70 Vital Windows Commands
  • Guide to Installing Kali Linux, DVWA, and bWAPP
    • Phần 1. CÀI ĐẶT HỆ ĐIỀU HÀNH KALI LINUX
    • Phần 2. CÀI ĐẶT DVWA
    • Phần 3. CÀI ĐẶT BWAPP
  • Cybersecurity Lab & Threat Intelligence
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Fluent Bit – Sending Logs to ELK with Fluent Bit
      • Winlogbeat – Collecting and Forwarding Windows Event Logs.
      • Filebeat – Collecting and Forwarding Windows Event Logs.
      • Send Logs from Winlogbeat through Logstash to ELK
      • Audit policy & Winlogbeat
    • Watch full series
  • CyberDefender Labs
Powered by GitBook
On this page

Was this helpful?

  1. Cybersecurity Lab & Threat Intelligence
  2. Build ELK Lab

Filebeat – Collecting and Forwarding Windows Event Logs.

PreviousWinlogbeat – Collecting and Forwarding Windows Event Logs.NextSend Logs from Winlogbeat through Logstash to ELK

Last updated 1 month ago

Was this helpful?

Filebeat is a lightweight log shipper developed by Elastic, commonly used in the Elastic Stack (ELK Stack) to collect logs from various sources and forward them to Elasticsearch, Logstash, or other storage systems.

Let's start by adding Elastic’s GPG key to verify the packages:

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elastic-keyring.gpg

We need to add the Elastic repository to system:

echo "deb [signed-by=/usr/share/keyrings/elastic-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

Next, let's update the package list and install Filebeat.

sudo apt update && sudo apt install filebeat

The next step is to open the Filebeat configuration file filebeat.yml

sudo nano /etc/filebeat/filebeat.yml

Make sure that Filebeat is value enabled: true and read logs from system logs (/var/log/*.log)

Now we need to edit the file also to send logs directly to Elasticsearch.

Next, we need to start the Filebeat service and configure it to launch automatically at system startup.

sudo systemctl start filebeat
sudo systemctl enable filebeat
sudo systemctl status filebeat

Check the Filebeat configuration for any errors.

sudo filebeat test config

Next, check test the connection to Elasticsearch by running.

sudo filebeat test output

Let's verify whether the logs are being displayed in ELK.