Filebeat helps you keep the simple things simple by offering a lightweight way to forward and centralize logs and files.

In Security Onion 2, Filebeat collects logs from the filesystem. On an Evaluation installation, Filebeat sends those logs directly to Elasticsearch. For other installation types, Filebeat sends to Logstash.


You can configure Filebeat inputs and output using Salt. An example of the filebeat pillar can be seen at

Any inputs that are added to the pillar definition will be in addition to the default defined inputs. In order to prevent a Zeek log from being used as input, the zeeklogs:enabled pillar will need to be modified. The easiest way to do this is via so-zeek-logs.

Diagnostic Logging

Filebeat’s log can be found in /opt/so/log/filebeat/.

More Information

See also

For more information about Filebeat, please see