1 Requirements
First, make sure our log servers are reachable. You can find the networking requirements here:
Note: The above article is only available for SecureDNS customer accounts.
2 Installing Filebeat
Next, follow these steps based on your Linux distribution:
For Debian:
- Download and install the Public Signing Key:
-
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
-
-
You may need to install the
apt-transport-https
package on Debian before proceeding:-
sudo apt install apt-transport-https
-
- Save the repository definition to
/etc/apt/sources.list.d/elastic-8.x.list
:-
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
-
-
Run
apt-get update
, and the repository is ready for use. For example, you can install Filebeat by running:-
sudo apt update ; sudo apt install filebeat
-
-
To configure Filebeat to start automatically during boot, run:
-
sudo systemctl enable filebeat
-
-
If your system does not use
systemd
then run:-
sudo update-rc.d filebeat defaults 95 10
-
For Red Hat:
- Download and install the public signing key:
-
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
-
- Create a file with a
.repo
extension (for example,elastic.repo
) in your/etc/yum.repos.d/
directory and add the following lines:-
[elastic-8.x] name=Elastic repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
-
-
Your repository is ready to use. For example, you can install Filebeat by running:
-
sudo yum install filebeat
-
-
To configure Filebeat to start automatically during boot, run:
-
sudo systemctl enable filebeat
-
-
If your system does not use
systemd
then run:-
sudo chkconfig --add filebeat
-
Download the certificates and replace the configuration file
- Download our certificates and config file here: https://portal.secutec.com/documents -> Configuration -> SecureDNS_Filebeat_Linux_Config+Certs2023.
- Unzip the folder on the system and move the contents to /etc/filebeat/
- Make sure to replace the existing filebeat.yml with the one provided from the download link.
- Open the newly replaced filebeat.yml with a text editor and adapt the following parameters:
- paths:
- Should contain the path where your local DNS logs are stored. Example:
- /var/lib/bind/*.log
- Should contain the path where your local DNS logs are stored. Example:
- fields:
- client: and site: Should contain the customer and site name that was configured as seen in the portal. Example:
- client: customer
- site: hq
- client: and site: Should contain the customer and site name that was configured as seen in the portal. Example:
- output.logstash:
- the 3 ssl paths should contain the downloaded certificates. Please double check if they are stored in the right location and adapt the path if needed.
- paths:
- Test the config file with this command:
-
filebeat test config
-
- Test the output with this command:
-
filebeat test output
-
- If the TCP handshakes are successful, and there is no error in the config file. We should be receiving the logs. Please check your Firewall if you can see outgoing traffic over port 6044.