## Data Shippers

#### Beats is the platform for single-purpose data shippers. They send data from hundreds or thousands of machines and systems to Logstash or Elasticsearch.

#### In this module we will guide the user through the installation of the beats listed below which allos the  collection of various types of host data:

* Filebeat
* Packetbeat
* Metricbeat
* Auditbeat
* Heartbeat

### Filebeat installation

In [None]:
%%bash
sudo apt install -y filebeat

### Disable default configuration

In [None]:
%%bash
sudo sed -i '28 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '117 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '148 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '150 s/^/#/' /etc/filebeat/filebeat.yml
sudo sed -i '176,178 s/^/#/' /etc/filebeat/filebeat.yml

### Enable Configuration to Communicate Filebeat with Logstash

##### As we want to establish a connection between filebeat and logstash, we must recall that we have secured all communication with logstash using ssl. Therefore, any beat that seeks to communicate with logstash must provide the certificate we have generated in the logstash node.

##### In this node, the certificate is located in "/etc/pki/tls/certs/logstash-forwarder.crt". Before setting up the necessary configuration for filebeat to connect with logstash, we will first validate if we can stablish a connection to logstash using the following command:

~~~
telnet <LOGSTASH-IP-ADDRESS> 5044
~~~

##### You will get a message stating "Connected to ....."  To exit press CTRL+] and then quit or CTRL+D

##### Now let us validate teh certificate by using the following command:

~~~
curl -v --cacert /etc/pki/tls/certs/logstash-forwarder.crt <LOGSTASH-IP-ADDRESS>:5044
~~~

##### Let us now proceed to set the log files we would like filebeat to track and ship to logstash, set the ip address and port in which logstash will receive our data, and define the location of our certificate that will be used to secure communication between filebeat and logstash.

In [None]:
%%bash

sudo sed -i "28i \ \ \ \ - /var/log/auth.log" /etc/filebeat/filebeat.yml
sudo sed -i "29i \ \ \ \ - /var/log/syslog" /etc/filebeat/filebeat.yml

sudo sed -i '160 s/^#//g' /etc/filebeat/filebeat.yml 

export ls_ip="10.1.1.14"

sudo sed -i "162i \ \ hosts: [\"$ls_ip:5044\"]" /etc/filebeat/filebeat.yml

sudo sed -i '167i \ \ ssl.certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]' /etc/filebeat/filebeat.yml

### Enabling the Filebeat's system module.

##### Filebeat supports different modules that allows us to collect and parse logs created by Ubuntu's system loggin service. To enable the system module, run the command below:

In [None]:
%%bash
sudo filebeat modules enable system

##### You can verify if the system module has been enables by using the following command:

~~~
sudo filebeat modules list
~~~

### Loading Index templates

##### An index is a collection of documents that share similar characteristics. We will load an index template for documents stored in filebeat indexes that will be applied automatically when a new index is created. Let us list the current templates in elasticsearch by using the following command:

~~~
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template?filter_path=*.version&pretty'
~~~

In [None]:
%%bash
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template?filter_path=*.version&pretty'

##### As we can observe, there are no templates defined for filebeat indexes. Let us load the filebeat template into elasticsearch by using the following command:

In [None]:
%%bash
cd ~
sudo /usr/share/filebeat/bin/filebeat export template > filebeat.template.json -c /etc/filebeat/filebeat.yml
curl -u elastic:elasticsiem -H 'Content-Type: application/json' -XPUT '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/filebeat-7.3.0' -d@/home/ubuntu/filebeat.template.json
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/' | jq 'keys'
    

### Installing Kibana dashboards for Filebeat

In [None]:
%%bash
sudo filebeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['<ELASTICSEARCH-IP-ADDRESS>:9200'] \
  -E setup.kibana.host=<KIBANA-IP-ADDRESS>:5601 \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem

### Start Filebeat

In [None]:
%%bash
sudo systemctl start filebeat
sudo systemctl enable filebeat

### Alternatively, you can run Filebeat in debug mode by using the following command:

~~~
sudo /usr/share/filebeat/bin/filebeat -e -d "publish" -c /etc/filebeat/filebeat.yml
~~~

### Backloging in filebeat


##### In teh case that you change some of the filters that you set on logstash and would like to pre-process your data again, you will need to delete all indexes where your data was stored, stop filebeat, delete filebeat's registry file, and start filebeat again.

##### To delete filebeat registry, you can use the following command:

~~~
sudo rm -R /var/lib/filebeat/registry
~~~

##### Note: Whenever you process again your data, your receiving logs will have a timestamp stating the time the log was received by elasticsearch and not the time at which the log was generated. The timestamp can be replaced by adding a rule on logstash that takes the timestamp stated at the beggining of each log and replace teh default timestamp (receiving time) set by elasticsearch.


### Packetbeat Installation

In [None]:
%%bash
sudo apt install -y packetbeat

### Disable default configuration

##### The default packetbeat configuration enables monitoring certain transaction porotocols such as icmp, ampq, cassandra, among others. We will disable unwanted protocols by commenting the protocol and list of ports and monitor only the following: icmp, dhcpv4, dns, http, and tls.

In [None]:
%%bash
sudo sed -i 's/^\- type\: amqp/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[5672\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: cassandra/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[9042\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: memcache/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[11211\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: mysql/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[3306,3307\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: pgsql/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[5432\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: redis/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[6379\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: thrift/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[9090\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: mongodb/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[27017\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\- type\: nfs/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ ports\: \[2049\]/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^output.elasticsearch\:/#&/' /etc/packetbeat/packetbeat.yml
sudo sed -i 's/^\ \ hosts\: \[\"localhost\:9200\"\]/#&/' /etc/packetbeat/packetbeat.yml

### Enable communication with logstash

In [None]:
%%bash
export ls_ip="10.1.1.14"

#Enable Logstash output
sudo sed -i '/output.logstash\:/s/^#//g' /etc/packetbeat/packetbeat.yml

#Uncomment and Change Logstash IP ADDRESS
sudo sed -i "s/#hosts\: \[\"localhost\:5044\"\]/hosts\: \[\"$ls_ip\:5044\"\]/g" /etc/packetbeat/packetbeat.yml
sudo sed -i 's/#ssl\.certificate_authorities\: \["\/etc\/pki\/root\/ca\.pem"\]/\ ssl\.certificate\_authorities\: \["\/etc\/pki\/tls\/certs\/logstash\-forwarder\.crt"\]/g' /etc/packetbeat/packetbeat.yml


### Test Configuration and Connectivity to Logstash

In [None]:
%%bash
sudo /usr/share/packetbeat/bin/packetbeat test config -c /etc/packetbeat/packetbeat.yml
sudo /usr/share/packetbeat/bin/packetbeat test output -c /etc/packetbeat/packetbeat.yml

### Add Kibana Dashboards for Packetbeat

In [None]:
%%bash
sudo packetbeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['<ELASTICSEARCH-IP-ADDRESS>:9200'] \
  -E setup.kibana.host=<KIBANA-IP-ADDRESS>:5601 \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem

### Add template from packetbeat to elasticsearch

In [None]:
%%bash

sudo packetbeat setup --index-management \
  -E output.logstash.enabled=false \
  -E 'output.elasticsearch.hosts=["<ELASTICSEARCH-IP-ADDRESS>:9200"]' \
  -E output.elasticsearch.username=elastic \
  -E output.elasticsearch.password=elasticsiem


### List Loaded Templates

In [None]:
%%bash
curl -u elastic:elasticsiem -XGET '<ELASTICSEARCH-IP-ADDRESS>:9200/_template/' | jq 'keys'

### Start Packetbeat

In [None]:
%%bash
sudo systemctl start packetbeat
sudo systemctl enable packetbeat

### Alternatively, you can run Filebeat in debug mode by using the following command:

~~~
sudo /usr/share/packetbeat/bin/packetbeat -e -d "publish" -c /etc/packetbeat/packetbeat.yml
~~~