Hi, I have been reading over forum posts and readmes for trying to use filebeat and offshoots to integrate logs from Suricata running on a Raspberry Pi and ship them to a Bitnami ELK VM I have running on my computer - I have looked at the following options:
But am having difficulty knowing where to begin and how to get them to work with each other. When I try to edit filebeat.yml and filebeat.reference.yml, they do not have the sections described here -
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-configuration.html
I cannot find the inputs like in the example:
filebeat.inputs:
- type: log
enabled: true
paths:- /var/log/*.log
#- c:\programdata\elasticsearch\logs*
- /var/log/*.log
When I ran ./easyBEATS-7.3.2_arm I got the following which seems to indicate it didn't install right:
System Update...
Tue 21 Jan 01:32:51 GMT 2020
-> System Update Complete
Creating Go Workspace directories...
-> making /root/go...
-> Go Workspace directories created
Checking for python-pip git...
-> python-pip git is installed
Checking for virtualenv...
-> virtualenv is installed
Checking for Make...
-> Make is installed
Checking for GCC...
-> GCC is installed
Checking for Go...
-> Go is installed
Getting Beats files from Elastic repo on github...
package github.com/elastic/beats: cannot download, $GOPATH not set. For more details see: go help gopath
./easyBEATS-7.3.2_arm: line 75: cd: beats: No such file or directory
Checking out Beats...
fatal: Not a git repository (or any of the parent directories): .git
fatal: Not a git repository (or any of the parent directories): .git
Temporarily enabling swap space
Setting up swapspace version 1, size = 2 GiB (2147479552 bytes)
no label, UUID=c468269a-c38c-4894-8fe3-5e41d6ea923f
/swapfile swap swap defaults 0 0
NAME TYPE SIZE USED PRIO
/var/swap file 100M 100M -2
/swapfile file 2G 0B -3
---- Filebeat ----
./easyBEATS-7.3.2_arm: line 87: cd: /root/go/src/github.com/elastic/beats/filebeat: No such file or directory
Creating Filebeat...
can't load package: package .: no buildable Go source files in /root/go/src/github.com/elastic
make: *** No targets specified and no makefile found. Stop.
Filebeat created
Creating Filebeat directories...
-> making /usr/share/filebeat...
-> making /etc/filebeat...
-> making /var/log/filebeat...
-> making /var/lib/filebeat...
Moving Filebeat...
mv: cannot stat '/root/go/src/github.com/elastic/beats/filebeat/filebeat': No such file or directory
mv: cannot stat '/root/go/src/github.com/elastic/beats/filebeat/module': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/filebeat/filebeat.reference.yml': No such file or directory
mv: cannot stat '/root/go/src/github.com/elastic/beats/filebeat/modules.d/': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/filebeat/filebeat.yml': No such file or directory
cp: cannot stat '/root/beats_arm/filebeat_files/fields.yml': No such file or directory
cp: cannot stat '/root/beats_arm/filebeat_files/LICENSE.txt': No such file or directory
cp: cannot stat '/root/beats_arm/filebeat_files/NOTICE.txt': No such file or directory
cp: cannot stat '/root/beats_arm/filebeat_files/filebeat.service': No such file or directory
Failed to enable unit: File filebeat.service: No such file or directory
---- Metricbeat ----
./easyBEATS-7.3.2_arm: line 148: cd: /root/go/src/github.com/elastic/beats/metricbeat: No such file or directory
Creating Metricbeat...
can't load package: package .: no buildable Go source files in /root/go/src/github.com/elastic
make: *** No targets specified and no makefile found. Stop.
Metricbeat created
Creating Metricbeat directories...
-> making /usr/share/metricbeat...
-> making /etc/metricbeat...
-> making /var/log/metricbeat...
-> making /var/lib/metricbeat...
mv: cannot stat '/root/go/src/github.com/elastic/beats/metricbeat/metricbeat': No such file or directory
mv: cannot stat '/root/go/src/github.com/elastic/beats/metricbeat/module': No such file or directory
mv: cannot stat '/root/go/src/github.com/elastic/beats/metricbeat/modules.d/': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/metricbeat/metricbeat.yml': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/metricbeat/metricbeat.reference.yml': No such file or directory
cp: cannot stat '/root/beats_arm/metricbeat_files/fields.yml': No such file or directory
cp: cannot stat '/root/beats_arm/metricbeat_files/LICENSE.txt': No such file or directory
cp: cannot stat '/root/beats_arm/metricbeat_files/NOTICE.txt': No such file or directory
cp: cannot stat '/root/beats_arm/metricbeat_files/metricbeat.service': No such file or directory
Failed to enable unit: File metricbeat.service: No such file or directory
---- Packetbeat ----
Reading package lists... Done
Building dependency tree
Reading state information... Done
libpcap-dev is already the newest version (1.8.1-3).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
./easyBEATS-7.3.2_arm: line 209: cd: /root/go/src/github.com/elastic/beats/packetbeat: No such file or directory
Creating Packetbeat...
can't load package: package .: no buildable Go source files in /root/go/src/github.com/elastic
make: *** No targets specified and no makefile found. Stop.
Packetbeat created
Creating Packetbeat directories...
-> making /usr/share/packetbeat...
-> making /etc/packetbeat...
-> making /var/log/packetbeat...
-> making /var/lib/packetbeat...
mv: cannot stat '/root/go/src/github.com/elastic/beats/packetbeat/packetbeat': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/packetbeat/_meta/kibana': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/packetbeat/packetbeat.reference.yml': No such file or directory
cp: cannot stat '/root/go/src/github.com/elastic/beats/packetbeat/packetbeat.yml': No such file or directory
cp: cannot stat '/root/beats_arm/packetbeat_files/fields.yml': No such file or directory
cp: cannot stat '/root/beats_arm/packetbeat_files/LICENSE.txt': No such file or directory
cp: cannot stat '/root/beats_arm/packetbeat_files/NOTICE.txt': No such file or directory
cp: cannot stat '/root/beats_arm/packetbeat_files/packetbeat.service': No such file or directory
Failed to enable unit: File packetbeat.service: No such file or directory
---- Auditbeat ----
./easyBEATS-7.3.2_arm: line 268: cd: /root/go/src/github.com/elastic/beats/auditbeat: No such file or directory
Creating Auditbeat...
can't load package: package .: no buildable Go source files in /root/go/src/github.com/elastic
make: *** No targets specified and no makefile found. Stop.
Auditbeat created
Creating Auditbeat directories...
-> making /usr/share/auditbeat...
-> making /etc/auditbeat...
I therefore cannot run Filebeat, and I can't tell which ports Bitnami is using for the various components of the ELK stack. If anyone has suggestions on how to begin with using Easybeat/Pibeat for configuring the setup I described I would be very grateful.
I would try SELKS but I am afraid a Raspberry Pi 3 wouldn't have the RAM or storage for it and haven't seen much written about running it on a Pi - https://github.com/StamusNetworks/SELKS/wiki/First-time-setup