To install filebeat, follow these steps
Download the latest version of filebeat. The download link can be found here:
current filebeat on elastic.co
Сonnect via ssh to your host. Download the filebeat package to your host.
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.0-x86_64.rpm
sudo rpm -vi filebeat-7.8.0-x86_64.rpm
Copy lines from elastic.co web interface (where you created instance). And paste them into the file filebeat.yml in section “Elastic Cloud”.
Do not forget to comment out the lines indicated in the screenshot (red color).
sudo vi /etc/filebeat/filebeat.yml
cloud.id: "12e3456:SdH...klj"
cloud.auth: "elastic:JHds..."
Include standard modules.
sudo filebeat modules enable system auditd
To view all possible standard modules use the command:
sudo filebeat modules list
Run file beat
sudo systemctl start filebeat
add auto start
sudo systemctl enable filebeat
see the result
sudo systemctl status filebeat
To disable a previously connected module use the command
sudo filebeat modules disable auditd
And restart filebeat
sudo systemctl restart filebeat