Nybble Security Analytics: Filebeat collector

Filebeat aims to act as a central event collector for your firewalls, network equipments ...

Before you begin

Connect to Nybble Hub at the Settings section to:

  • download the Filebeat configuration files
  • grab your client short name: it will be used in network rules.


Filebeat itself has no sizing requirements: it's a lightweight agent (less than 2% CPU).
Nybble recommends using a dedicated VM / Server to run it, as there will be incoming / outgoing network rules to create later.
System specifications can remain the usual ones in your company.

Filebeat installation


Nybble recommands using the 7.10.2 version as all configurations were validated with this version.

To download and install Filebeat, use the commands that work with your operating system (compatibility matrix):

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-amd64.deb
sudo dpkg -i filebeat-7.10.2-amd64.deb
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-x86_64.rpm
sudo rpm -vi filebeat-7.10.2-x86_64.rpm
  1. Download the Filebeat Windows zip file: Filebeat 7.10.2 on Elastic website
  2. Extract the contents of the zip file into C:\Program Files.
  3. Rename the filebeat-7.10.2-windows directory to Filebeat.
  4. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  5. From the PowerShell prompt, run the following commands to install Filebeat as a Windows service:
    PS > cd 'C:\Program Files\Filebeat'
    PS C:\Program Files\Filebeat> .\install-service-filebeat.ps1


If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run.
Example: powershell.exe -ExecutionPolicy unrestricted -file .\install-service-filebeat.ps1.

Filebeat configuration

The filebeat-config.zip file contains all the required files to run filebeat:

  • yml configuration files
  • certs subfolder : certificates to secure communication to Nybble's servers

Copy these contents into the filebeat agent folder :

C:\Program Files\Filebeat

Then start the program :

sudo systemctl enable filebeat.service    # enable at boot
sudo service filebeat start
sudo systemctl enable filebeat.service    # enable at boot
sudo service filebeat start
PS C:\Program Files\filebeat> Start-Service filebeat

By default, Windows log files are stored in C:\ProgramData\filebeat\Logs.

Network rules

Filebeat agent requires following network rule to communicate with Nybble's servers:

Source Destination Protocol Usage
filebeat server <clientshortname>-kafka-bootstrap.nybble-analytics.io
TCP 9094 Event sending

What's next

You can start to onboard devices (firewalls, network equipments) by selecting the according page in the left menu (by vendor).