Step 1 - Download Filebeat

Download and unzip Filebeat for Mac from https://www.elastic.co/downloads/beats/filebeat 

Step 2 - Prepare for Encryption

To encrypt the traffic, download the Loom CA certificate and place in the Fliebeat folder in a sub-folder named cert .
Next, generate a client-side certificate:

openssl genrsa -out selfsigned.key 2048
openssl req -new -key selfsigned.key -batch -out selfsigned.csr
openssl x509 -req -days 3650 -in selfsigned.csr -signkey selfsigned.key -out selfsigned.crt
rm selfsigned.csr

Copy the key  and crt  files to the cert  folder as well.

Step 3 - Configure filebeat.yml

Open the filebeat.yml file and make the following modifications: 

  • Delete out the Elasticsearch output section
  • Replace the Logstash section with the following example
#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["{{customer}}-data.loomsystems.com:5044"]

  ssl.enabled: true
  ssl.certificate_authorities: ["{{path-to-loom-certificate}}"]
  ssl.certificate: "{{path-to-client-certificate}}"
  ssl.key: "{{path-to-client-key}}"

Replace the fields in curly-brackets, for example:

  • {{customer}}  - acme 
  • {{path-to-loom-certificate}}  - /etc/filebeat-5.4.2/cert/loom.cer 
  • {{path-to-client-certificate}}  - /etc/filebeat-5.4.2/cert/selfsigned.crt 
  • {{path-to-client-key}}  - /etc/filebeat-5.4.2/cert/selfsigned.key 

Step 4 - Change ownership of filebeat.yml

Enter the following command to change ownership of filebeat.yml to root:

chown root filebeat.yml

Step 5 - Run filebeat on Mac startup

In order to run filebeat and stream your Mac logs to Loom when your computer starts up, add the following file, named co.logstash.filebeat.plist ,to the directory /Library/LaunchDaemons, replacing {{path-to-filebeat-distribution}}
with the path to the filebeat folder you downloaded 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/Property\
List-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>co.logstash.filebeat</string>
    <key>ProgramArguments</key>
    <array>
        <string>{{path-to-filebeat-distribution}}/filebeat</string>
        <string>-e</string>
        <string>-c</string>
        <string>/{{path-to-filebeat-distribution}}/filebeat.yml</string>
    </array>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

Restart your computer and your logs will begin streaming to Loom

Did this answer your question?