Installing filebeat on Raspberry PI 3 (amd64)
Currently I’m experimenting with using a Raspberry PI 3 B+ as a network security monitoring (NSM) sensor node. So I have Bro and Suricata installed on that little guy running Kali Linux for arm64. But I need a modern way to transport the logs to its log monitoring station. So not using syslog-ng or ryslog but the best log shipper for the elastic stack, and that is Beats, better the Filebeats.
Problem: Elastic does, unfortunately, despite desperate inquiries from users in the forums not provide binaries or a .deb package for Beats. After trying some other paths I came across some receipts to install Beats on arm64 by manually compiling the binary with Go. I have to say, Go is marvelous! On the PI itself, I had bad luck, because the “go build” quickly finished with out-of-memory. So that didn’t work unfortunately on that little pal.
But because Go is so cool, I just “cross-complied” it on a bigger laptop, also running Kali Linux. And that’s so easy that I have to tell the world, because the other receipts are sometimes too specific and parts are missing for a full running manual installation, which is more than just the filebeats binary.
Step one on the other Debian-base system, the laptop, you need of course also Go installed.
# mkdir -p go/src/github.com/elastic
# cd go/src/github.com/elastic
# git clone https://github.com/elastic/beats.git
# export GOPATH=$PWD/go
You could also get the sources with “go get” bu that doesn’t matter, result the same.
Now the important step, watch out:
# export GOARCH=arm64
# cd beats
# go build -v -x
Flags just so see what’s happening, as go build is very silent otherwise. Magic, in a few seconds, you have a “filebeat” binary in this directory!
Try:
# file filebeat
filebeat: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=svVi8LJGhqXEjRJveTrA/7cOYouMPn1VzyeJqwq3W/TXZ3DZ8Wa_QYdKnsR8cm/8bg35yoawYw18mAJ30oX, not stripped
Remember we are on amd64 not arm64 on the laptop!
Now just copy the file over to the PI using ssh and test it there:
# ./filebeat –help
Works! But when you try
# ./filebeat modules list
It does not show any, because we are missing something, all the module configuration and kibana dashboards that are normally also contained in the .deb package. So on the laptop just install filebeats, as for amd64, there is of course package:
# cd ~/Downloads
# curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.1.1-amd64.deb
# dpkg -i filebeat-7.1.1-amd64.deb
# filebeat modules list
Here you get the modules of course.
Now just let’s see what’s in the debian package:
# dpkg –listfiles filebeat|more
As you can see, besides the binary (for amd64) no other binaries are really in the .deb, just lots of YAML and JSON files. Now that’s of course good news.
So what I did for getting a fully functional installation is just copy the files over form the laptop to the PI using SSH in /etc/init.d/filebeat, /etc/filebeat/*, /usr/share/filebeat, /lib/systemd/system and /usr/bin/filebeat (a script). Then place the compiled arm64 binary in “/usr/share/filebeat/bin/filebeat” and we’re got to go on the PI:
# filebeat modules list
And here we get the list.
Now this is not a package that will be manged by apt-get of course. Maybe, I didn’t try one could for to install the official amd64 .deb package and only exchange compiled binary.
Hope this helps, Peter