Deploying Filebeat on MacOS X

Hi all,

I am looking into deploying filebeat on Mac OS X (10.11). The package does not contain the wrapper binary filebeat-god, so the question is how to daemonize filebeat properly.

Starting it manually I can use "./filebeat -e -c filebeat.yml &" to dispatch ist from my shell, but for handing it over to launchd that would be poor.

Anyone out there already using it on MacOS X?

Any hint or help is appreciated.

Dirk

I don't know anyone that has deployed Filebeat on OSX. You'll need to assemble a plist for use with launchd. filebeat-god should not be needed since launchd provides that functionality including KeepAlive.

See the launchd man page.

When you have a working plist please consider opening a pull request in beats-packer so we can add it to OSX package. Or if you aren't comfortable with a PR, just post it here.

Hi Andrew,

thanks for your fast anwer.

I am familiar with launchd and it's plist, my question was not about that. My question is about running filebeat as a daemon on Mac OS X.

On Linux, daemonizing is done by the filebeat-god wrapper.

On Mac OS X I can only daemonize it by using shell magic: calling it with a "&" in the end. That is good for manually starting it, but not for launchd since launchd does not rely on shell magic.

So the question is: How do I daemonize it properly on Mac OS X?

Of course I will PR a working co.elastic.filebeat.plist if I have one.

Thanks,

Dirk

This is what launchd complains about when it tries to call filebeat with "-e" and "-c /path/to/filebeat.yml":

Dec 23 07:20:18 pmacl11sh-001 com.apple.xpc.launchd[1] (co.elastic.filebeat): This service is defined to be constantly running and is inherently inefficient.
Dec 23 07:20:18 pmacl11sh-001 com.apple.xpc.launchd[1] (co.elastic.filebeat[70678]): Service could not initialize: 15C50: xpcproxy + 12644 [1472][13E77DA5-3602-31BF-B074-49D4EE27E9D8]: 0xd

don't really know launchd. Consider opening a ticket in beats-packer including your config. Maybe we can iterate on this.

Thanks for looking into this,
Steffen

Check the permissions on the plist (0xd is a Permission Denied). The permissions should be 644 on the plist and 755 on the directory containing the plist (and all owned by root). For security purposes the file can only be writable by the user it runs as.

Based on the man page you don't need to daemonize the process. In fact, it uses the words "MUST NOT". Hopefully I am interpreting it correctly. I think this is also similar to how systemd works, you don't need to daemonize.

$ pwd
/topbeat-1.0.1-darwin

$ ls -la
total 12688
drwxr-xr-x   6 root   wheel      204 Dec 23 10:47 .
drwxr-xr-x  34 root   wheel     1224 Dec 23 10:31 ..
-rw-r--r--   1 root   wheel      492 Dec 23 10:47 co.elastic.topbeatd.plist
-rwxr-xr-x   1 root   wheel  6474076 Dec 17 08:26 topbeat
-rw-r--r--   1 root   wheel     2493 Dec 17 08:26 topbeat.template.json
-rw-r--r--   1 akroh  wheel     8504 Dec 23 11:25 topbeat.yml

$ sudo launchctl load co.elastic.topbeatd.plist 
$ ps -ef | grep top
    0 46224     1   0 11:29AM ??         0:00.02 /topbeat-1.0.1-darwin/topbeat -c /topbeat-1.0.1-darwin/topbeat.yml


$ tail -F /var/log/system.log | grep --line-buffered "co.elastic"
Dec 23 11:29:48 macbook13 com.apple.xpc.launchd[1] (co.elastic.topbeatd): This service is defined to be constantly running and is inherently inefficient.

Hi Andrew,

that helped me, thanks very much.
My fault was to use an administrative user to run filebeat (I try to use root as seldom as possible) - that was leading to permissions issues, I guess.

Now I have filebeat working (I have put the registry to /Library/Application Support/Filebeat/), I just did not not test filebeat's own logging - I guess I will do that only in a troubleshooting case.

Now where can I provide the plist and yml I use? Just post it here or anywhere else?

Cheers, Dirk

Glad you got it working. Probably currently the best place for documentation is posting it here. Make sure to post it as "code".

hmm - I am sorry, but I did not find any hint on how to post something as code.
Using html tags named "code" removes the xml tags from the plist content.

Can you try using three ` (backtick) to start and end the code you want to post? This should have the same outcome as andrew used above.

This is the plist file I put into /Library/LaunchDaemons/:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>co.elastic.filebeat</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Applications/Filebeat/filebeat</string>
        <string>-c</string>
        <string>/Applications/Filebeat/filebeat.yml</string> 
    </array>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

This is the filebeat.yml I use:

filebeat:
  prospectors:
    -
      paths:
      - /private/var/log/system.log
      - /private/var/log/accountpolicy.log
      - /private/var/log/install.log
      input_type: log
      document_type: syslog
  registry_file: /Library/Application Support/Filebeat/registry
output:
  logstash:
    hosts: ["10.23.46.12:5044"]
shipper:
logging:

To make this work, I created "/Library/Application Support/Filebeat".

The job was registered with launchd using:

launchctl load /Library/LaunchDaemons/co.elastic.filebeat.plist 

Verification can be done using

TheMac:~ root# ps -ef | grep filebeat
    0  1371     1   0  7:55AM ??         0:00.01 /Applications/Filebeat/filebeat -c /Applications/Filebeat/filebeat.yml
    0  1373  1357   0  7:55AM ttys000    0:00.00 grep filebeat

Caveats: ATM launchd starts the job again after a reboot of the mac, but filebeat does not ship any logs until the job is unloaded and loaded again manually.
Funny thing is, filebeat updates the registry file - this leads to old log lines not being shipped after manuall reload, just new ones.

Thanks for sharing. It would probably be helpful to others if you could share the commands used to install and verify.

Done.

Now I ran into another issue:
After a reboot of the mac the launchd job was reloaded automatically (above verification is positive), but filebeat does not ship any logs until the job is unloaded and loaded again manually.
Funny thing is, filebeat updates the registry file even before the manual restart - this leads to old log lines not being shipped after manual reload, just new ones.

This happened on 3 Macs, I would take it to be reproducible.

We will need some logs in order to diagnose anything. Can you enable debug logging to a file in your filebeat.yml.

logging:
  to_files: true
  files:
    path: /my/log/dir
  level: debug
  selectors: ['*']

I am thinking it could be an issue with network availability at the time launchd starts the Filebeat service.

For usage within a museum for analytics we are just running it as a user level agent (LaunchAgent instead of LaunchDaemon)

Here is the LaunchAgent I created for it:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>co.elastic.filebeat</string>

	<key>ProgramArguments</key>
	<array>
		<string>/users/username/filebeat/filebeat</string>
		<string>-e</string>
		<string>-c</string>
		<string>/users/username/filebeat/filebeat.yml</string>
		<string>-d</string>
		<string>"publish"</string>
	</array>
    <key>RunAtLoad</key>
	<true/>
    <key>KeepAlive</key>
	<true/>
</dict>

`

For a LaunchAgent the .plist needs to have the user as the owner with read/write
the group as read only,
and everyone as read only.
(can either be done through GUI, or terminal with chown then chmod 644 )
while a LaunchDaemon would be owned by root (with the same permissions for group and everyone) - as was mentioned in an earlier reply here.

For those not familiar, a LaunchAgent will only startup the process once the correct user logs in while a LaunchDaemon starts up with the computer and doesn't require a user to login.