Get a DemoStart Free TrialSign In


Ship your Falco logs using Filebeat to your Stack

Configure Falco to ship logs via Filebeat to your stacks via Logstash.

Follow this step by step guide to get 'logs' from your system to

Step 1 - Install Filebeat

To get started first follow the steps below:

  • Install
  • Root access
  • Verify the required port is open

Older versions can be found here 7, 6, 5

Step 2 - Configure Falco Logging

Falco serves as a container security and threat detection engine for Kubernetes at runtime, that detects unauthorized container activity and logs it. Falco has been approved by the CNCF for this purpose.

Set the output format to JSON

  • Locate the configuration file, which is typically named /etc/falco/falco.yaml.
  • Open the configuration file with a text editor of your choice.
  • Ensure json_output: true and json_include_output_property: true
  • Save the changes to the configuration file.
  • Restart the Falco service to apply the updated configuration.

Look up the filepath to Falco's logs

  • In the same configuration file /etc/falco/falco.yaml
  • Under file_output: make a note of the filename: value, this will be used in step 3 to configure Filebeat.

It's important to review the Falco documentation for any specific guidance or instructions if you need to customise how logging is configured.

In the pre-configuted Filebeat configuration file below be sure to update the path to your Falco events log file. This path can vary depending on your installation.

Step 3 - Configure Filebeat.yml

The configuration file below is pre-configured to send data to your Stack.

Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml

# ============================== Filebeat inputs ===============================

- type: filestream

  enabled: true


  fields_under_root: true
  encoding: utf-8
  ignore_older: 12h

# ================================== Outputs ===================================
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

If you’re running Filebeat 7.10 or older, change the type as shown below.

- type: log

It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. is a great choice.

Step 4 - Validate configuration

If you have issues starting in the next step, you can use these commands below to troubleshoot.

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.


sudo  -e -c /etc//.yml


sudo ./ -e -c .yml


.\.exe -e -c .yml

Step 5 - Start filebeat

Start or restart to apply the configuration changes.

Step 6 - Launch to view your logs

Now you should view your data:

View my data

If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.

Step 7 - How to diagnose no data in Stack

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Step 8 - Falco Overview

Falco is a free, open-source container security monitoring solution that provides real-time threat detection and response capabilities. It is designed to help organizations identify and respond to security incidents in containerized environments.

To effectively monitor and analyze security events in containerized environments, it is essential to have a reliable and efficient log management solution. Falco provides a centralized platform for collecting, processing, and visualizing security-related data in real-time. It can be used to monitor various activities in container environments, such as network connections, file system access, and process execution.

To send data from Falco to other systems or services, organizations can use various output options, including JSON logs, Syslog, and gRPC. For instance, to output JSON logs to a file, users can modify the Falco configuration file and add the necessary output configuration.

In summary, using Falco as a container security monitoring solution provides organizations with a reliable and efficient way to detect and respond to security incidents in real-time. By leveraging the output options and various agents and modules, organizations can collect and analyze data from container environments and gain valuable insights into their security posture.

If you need any further assistance with migrating your log data to ELK we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.

Return to Search
Sign Up

© 2023 Ltd, All rights reserved.