Get a DemoStart Free TrialSign In

Falco

Ship your Falco logs using Filebeat to your Logit.io Stack

Configure Falco to ship logs via Filebeat to your Logit.io stacks via Logstash.

Send Your DataLogsPlatformsFalco Guide

Follow this step by step guide to get 'logs' from your system to Logit.io:

Step 1 - Install Filebeat

To get started you will need to install filebeat. To do this you have two main options:

To successfully install filebeat and set up the required Windows service you will need to have administrator access.

If you have chosen to download the zip file:

  • Extract the contents of the zip file into C:\Program Files.
  • Rename the extracted folder to filebeat
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  • From the PowerShell prompt, run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'

.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: 

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here

If you have chosen to download the filebeat.msi file:

  • double-click on it and the relevant files will be downloaded.

At the end of the installation process you'll be given the option to open the folder where filebeat has been installed.

  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  • From the PowerShell prompt, change directory to the location where filebeat was installed and run the following command to install filebeat as a Windows service:
.\install-service-filebeat.ps1

If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: 

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1

For more information about Powershell execution policies see here

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (arm64)

You can tell if you have a Linux PC with an AMD / Intel CPU (kernel) architecture by opening a terminal and running the uname -m command. If it displays x86_64 you have AMD / Intel architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-x86_64.tar.gz
tar xzvf filebeat-8.12.2-linux-x86_64.tar.gz

If you have an arm64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-arm64.tar.gz
tar xzvf filebeat-8.12.2-linux-arm64.tar.gz

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a Mac with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-x86_64.tar.gz
tar xzvf filebeat-8.12.2-darwin-x86_64.tar.gz

If you have an aarch64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-aarch64.tar.gz
tar xzvf filebeat-8.12.2-darwin-aarch64.tar.gz

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
sudo dpkg -i filebeat-8.12.2-amd64.deb

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-arm64.deb
sudo dpkg -i filebeat-8.12.2-arm64.deb

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-x86_64.rpm
sudo rpm -vi filebeat-8.12.2-x86_64.rpm

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-aarch64.rpm
sudo rpm -vi filebeat-8.12.2-aarch64.rpm

Step 2 - Configure Falco Logging

Falco serves as a container security and threat detection engine for Kubernetes at runtime, that detects unauthorized container activity and logs it. Falco has been approved by the CNCF for this purpose.

Set the output format to JSON

  • Locate the configuration file, which is typically named /etc/falco/falco.yaml.
  • Open the configuration file with a text editor of your choice.
  • Ensure json_output: true and json_include_output_property: true
  • Save the changes to the configuration file.
  • Restart the Falco service to apply the updated configuration.

Look up the filepath to Falco's logs

  • In the same configuration file /etc/falco/falco.yaml
  • Under file_output: make a note of the filename: value, this will be used in step 3 to configure Filebeat.

It's important to review the Falco documentation for any specific guidance or instructions if you need to customise how logging is configured.

In the pre-configuted Filebeat configuration file below be sure to update the path to your Falco events log file. This path can vary depending on your installation.

Step 3 - Configure Filebeat.yml

The configuration file below is pre-configured to send data to your Logit.io Stack.

Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml

# ============================== Filebeat inputs ===============================
filebeat.inputs:

- type: filestream

  enabled: true

  paths:
  - /enter-the-filepath-to-your-Falco-events-log

  fields:
     type: Falco
  fields_under_root: true
  encoding: utf-8
  ignore_older: 12h

# ================================== Outputs ===================================
output.logstash:
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

If you’re running Filebeat 7.10 or older, change the type as shown below.

- type: log

It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.

Step 4 - Validate configuration

.\filebeat.exe -e -c filebeat.yml
If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo ./filebeat -e -c filebeat.yml --strict.perms=false

You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.

If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo ./filebeat -e -c filebeat.yml --strict.perms=false

You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.

If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo filebeat -e -c /etc/filebeat/filebeat.yml
If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo filebeat -e -c /etc/filebeat/filebeat.yml
If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot.

Step 5 - Start filebeat

To start Filebeat, run in Powershell:

Start-Service filebeat

To start Filebeat, run:

sudo chown root filebeat.yml 
sudo chown root modules.d/{modulename}.yml 
sudo ./filebeat -e

You’ll be running as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run with --strict.perms=false as shown above. Read more about how to change ownership.

To start Filebeat, run:

sudo chown root filebeat.yml 
sudo chown root modules.d/{modulename}.yml 
sudo ./filebeat -e

You’ll be running as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run with --strict.perms=false as shown above. Read more about how to change ownership.

To start Filebeat, run:

sudo service filebeat start

To start Filebeat, run:

sudo service filebeat start

Step 6 - Launch Logit.io to view your logs

Data should now have been sent to your Stack.

View my data

If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.

Step 7 - How to diagnose no data in Stack

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Step 8 - Falco Overview

Falco is a free, open-source container security monitoring solution that provides real-time threat detection and response capabilities. It is designed to help organizations identify and respond to security incidents in containerized environments.

To effectively monitor and analyze security events in containerized environments, it is essential to have a reliable and efficient log management solution. Falco provides a centralized platform for collecting, processing, and visualizing security-related data in real-time. It can be used to monitor various activities in container environments, such as network connections, file system access, and process execution.

To send data from Falco to other systems or services, organizations can use various output options, including JSON logs, Syslog, and gRPC. For instance, to output JSON logs to a file, users can modify the Falco configuration file and add the necessary output configuration.

In summary, using Falco as a container security monitoring solution provides organizations with a reliable and efficient way to detect and respond to security incidents in real-time. By leveraging the output options and various agents and modules, organizations can collect and analyze data from container environments and gain valuable insights into their security posture.

If you need any further assistance with migrating your log data to ELK we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.