Install Filebeat on CentOS 8

Filebeat is used to ship logs to logstash or Elastic search to filter and use them as per requirement. Whether you’re collecting from security devices, cloud, containers, hosts, or OT, Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files.

Filebeat consists of two main components: inputs and harvesters. These components work together to tail files and send event data to the output that you specify.

An input is responsible for managing the harvesters and finding all sources to read from.

In this tutorial we will learn how to install filebeat on CentOS 8. Following are 2 methods to install filebeat you can follow either of the following:

Method 1: Install Elastic Stack Repos on CentOS 8

Filebeat is not available on the default CentOS 8 and therefore you need to install Elastic Stack repos.

We will add yum Repositories for Filebeat so that we can install it using yum command which is very easy tools to play with.

Install Elastic Stack repo GPG signing key using following command:

sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

Next, install Elastic Stack repo on CentOS 8.

cat > /etc/yum.repos.d/elasticstack.repo << EOL
[elasticstack]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOL

Once the repos are in place, you can install by running the command below;

dnf install filebeat

Method 2: Install Filebeat using RPM Package

Should you choose to install Filebeat on CentOS 8 using the RPM package, simply grab the link to the latest stable release version of the filebeat RPM package from Filebeat download’s page and run either of the command below;

dnf install https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.7.1-x86_64.rpm

or,

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.7.1-x86_64.rpm
rpm -vi filebeat-7.7.1-x86_64.rpm

Running FileBeat:

Start and enable Filebeat to run on system boot;

sudo systemctl start filebeat 
sudo systemctl enable filebeat
sudo systemctl status filebeat

You should see output like shown in the following picture against the command systemctl status filebeat

Filebeat has been installed in your system successfully now you can configure filebeat as per your requirement by editing configuration file using command “sudo nano /etc/filebeat/filebeat.yml”

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

x