Nybble Security Analytics: Filebeat collector
Filebeat aims to act as a central event collector for your firewalls, network equipments ...
Before you begin
Connect to Nybble Hub at the Settings section to:
- download the Filebeat configuration files
- grab your client short name: it will be used in network rules.
Sizing
Filebeat itself has no sizing requirements: it's a lightweight agent (less than 2% CPU).
Nybble recommends using a dedicated VM / Server to run it, as there will be incoming / outgoing network rules to create later.
System specifications can remain the usual ones in your company.
Filebeat installation
Note
Nybble recommands using the 7.10.2 version as all configurations were validated with this version.
To download and install Filebeat, use the commands that work with your operating system (compatibility matrix):
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-amd64.deb
sudo dpkg -i filebeat-7.10.2-amd64.deb
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-x86_64.rpm
sudo rpm -vi filebeat-7.10.2-x86_64.rpm
- Download the Filebeat Windows zip file: Filebeat 7.10.2 on Elastic website
- Extract the contents of the zip file into C:\Program Files.
- Rename the filebeat-7.10.2-windows directory to Filebeat.
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
- From the PowerShell prompt, run the following commands to install Filebeat as a Windows service:
PS > cd 'C:\Program Files\Filebeat' PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1
Note
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run.
Example: powershell.exe -ExecutionPolicy unrestricted -file .\install-service-filebeat.ps1.
Filebeat configuration
The filebeat-config.zip file contains all the required files to run filebeat:
- yml configuration files
- certs subfolder : certificates to secure communication to Nybble's servers
Copy these contents into the filebeat agent folder :
/etc/filebeat
/etc/filebeat
C:\Program Files\Filebeat
Then start the program :
sudo systemctl enable filebeat.service # enable at boot
sudo service filebeat start
sudo systemctl enable filebeat.service # enable at boot
sudo service filebeat start
PS C:\Program Files\filebeat> Start-Service filebeat
By default, Windows log files are stored in C:\ProgramData\filebeat\Logs.
Network rules
Filebeat agent requires following network rule to communicate with Nybble's servers:
Source | Destination | Protocol | Usage |
---|---|---|---|
filebeat server | <clientshortname>-kafka-bootstrap.nybble-analytics.io <clientshortname>-kafka-broker-[0-9].nybble-analytics.io |
TCP 9094 | Event sending |
What's next
You can start to onboard devices (firewalls, network equipments) by selecting the according page in the left menu (by vendor).