Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files.

In Security Onion 2, Filebeat collects logs from the filesystem. On an Evaluation installation, Filebeat sends those logs directly to Elasticsearch. For other installation types, Filebeat sends to Logstash.


You can configure Filebeat inputs and output using Salt. An example of the filebeat pillar can be seen at

Any inputs that are added the pillar definition will be in addition to the default defined inputs. In order to prevent a Zeek log from being used as input, the zeeklogs:enabled pillar will need to be modified. Find the default definition at Copy the contents of this file and place it in either the global or minion pillar file depending on if you want the changes to be global or specific to that individual node. If there is a log file that you would like to disable, move that entry from the enabled list to the disabled list. Be sure to follow the proper indentation for YAML.

Diagnostic Logging

Filebeat’s log can be found in /opt/so/log/filebeat/.

More Information

See also

For more information about Filebeat, please see