Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files.
In Security Onion 2, Filebeat collects logs from the filesystem. On an Evaluation installation, Filebeat sends those logs directly to Elasticsearch. For other installation types, Filebeat sends to Logstash.
You can configure Filebeat inputs and output using Salt. An example of the filebeat pillar can be seen at https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/filebeat/pillar.example
Any inputs that are added to the pillar definition will be in addition to the default defined inputs. In order to prevent a Zeek log from being used as input, the
zeeklogs:enabled pillar will need to be modified. The easiest way to do this is via so-zeek-logs.
Filebeat’s log can be found in