This is the plist file I put into /Library/LaunchDaemons/:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>co.elastic.filebeat</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Filebeat/filebeat</string>
<string>-c</string>
<string>/Applications/Filebeat/filebeat.yml</string>
</array>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
This is the filebeat.yml I use:
filebeat:
prospectors:
-
paths:
- /private/var/log/system.log
- /private/var/log/accountpolicy.log
- /private/var/log/install.log
input_type: log
document_type: syslog
registry_file: /Library/Application Support/Filebeat/registry
output:
logstash:
hosts: ["10.23.46.12:5044"]
shipper:
logging:
To make this work, I created "/Library/Application Support/Filebeat".
The job was registered with launchd using:
launchctl load /Library/LaunchDaemons/co.elastic.filebeat.plist
Verification can be done using
TheMac:~ root# ps -ef | grep filebeat
0 1371 1 0 7:55AM ?? 0:00.01 /Applications/Filebeat/filebeat -c /Applications/Filebeat/filebeat.yml
0 1373 1357 0 7:55AM ttys000 0:00.00 grep filebeat
Caveats: ATM launchd starts the job again after a reboot of the mac, but filebeat does not ship any logs until the job is unloaded and loaded again manually.
Funny thing is, filebeat updates the registry file - this leads to old log lines not being shipped after manuall reload, just new ones.