Falco

Ship your Falco logs using Filebeat to your Logit.io Stack

Configure Falco to ship logs via Filebeat to your Logit.io stacks via Logstash.

Send Your Data Logs PlatformsFalco Guide

Follow this step by step guide to get 'logs' from your system to Logit.io:

Step 1 - Install Filebeat

To get started first follow the steps below:

Install
Root access
Verify the required port is open

Older versions can be found here 7, 6, 5

Step 2 - Configure Falco Logging

Falco serves as a container security and threat detection engine for Kubernetes at runtime, that detects unauthorized container activity and logs it. Falco has been approved by the CNCF for this purpose.

Set the output format to JSON

Locate the configuration file, which is typically named /etc/falco/falco.yaml.
Open the configuration file with a text editor of your choice.
Ensure json_output: true and json_include_output_property: true
Save the changes to the configuration file.
Restart the Falco service to apply the updated configuration.

Look up the filepath to Falco's logs

In the same configuration file /etc/falco/falco.yaml
Under file_output: make a note of the filename: value, this will be used in step 3 to configure Filebeat.

It's important to review the Falco documentation for any specific guidance or instructions if you need to customise how logging is configured.

In the pre-configuted Filebeat configuration file below be sure to update the path to your Falco events log file. This path can vary depending on your installation.

Step 3 - Configure Filebeat.yml

The configuration file below is pre-configured to send data to your Logit.io Stack.

Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at /etc/filebeat/filebeat.yml

# ============================== Filebeat inputs ===============================
filebeat.inputs:

- type: filestream

  enabled: true

  paths:
  - 

  fields:
     type: 
  fields_under_root: true
  encoding: utf-8
  ignore_older: 12h

# ================================== Outputs ===================================
output.logstash:
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

If you’re running Filebeat 7.10 or older, change the type as shown below.

- type: log

It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.

Step 4 - Validate configuration

If you have issues starting in the next step, you can use these commands below to troubleshoot.

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.

deb/rpm

sudo  -e -c /etc//.yml

macOS

cd <EXTRACTED_ARCHIVE>
sudo ./ -e -c .yml

Windows

cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml

Step 5 - Start filebeat

Start or restart to apply the configuration changes.

Step 6 - Launch Logit.io to view your logs

Now you should view your data:

View my data

If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.

Step 7 - How to diagnose no data in Stack

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Step 8 - Falco Overview

Falco is a free, open-source container security monitoring solution that provides real-time threat detection and response capabilities. It is designed to help organizations identify and respond to security incidents in containerized environments.

To effectively monitor and analyze security events in containerized environments, it is essential to have a reliable and efficient log management solution. Falco provides a centralized platform for collecting, processing, and visualizing security-related data in real-time. It can be used to monitor various activities in container environments, such as network connections, file system access, and process execution.

To send data from Falco to other systems or services, organizations can use various output options, including JSON logs, Syslog, and gRPC. For instance, to output JSON logs to a file, users can modify the Falco configuration file and add the necessary output configuration.

In summary, using Falco as a container security monitoring solution provides organizations with a reliable and efficient way to detect and respond to security incidents in real-time. By leveraging the output options and various agents and modules, organizations can collect and analyze data from container environments and gain valuable insights into their security posture.

If you need any further assistance with migrating your log data to ELK we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.

Logging

Metrics

Observability

Features

Grafana Demo

Prometheus as a Service

ELK as a Service

Monitoring

Logging

Compliance and Auditing

Analysis

Platform-Specific Logging

CMMC Solution

CMMC For Small & Medium Sized Enterprises

Compliance For Higher Education

Observability For Manufacturers

Logging for Retailers

Source Integrations

Platform Status

Help Centre

Blog

Integrations

Why Logit?

Security

Consultancy

Partners

Legal