Giter Site home page Giter Site logo

bsd-amd64-filebeat's Introduction

bsd-amd64-filebeat

pfsense / freebsd amd64 prebuilt binaries and configuration files for using the pfsense as an network sensor for the Elastic Stack.

WARNING: Please take a config snapshot of your pfsense configuration and make sure you can use it before proceeding.

Prerequisites

  • A pfsense device
  • ssh and web admin console access to the pfsense.
  • An Elastic Stack (cloud or self hosted) instance that can be reached by the pfsense.
  • Using the package manager to install suricata and zeek.

Install

Download this project as a zip file.

Upload it to pfsense by navigating to Diagnostics->Command Prompt->Upload file in the pfsense admin console.

ssh into the pfsense device (e.g. ssh [email protected]). select option 8 for console access. Then execute:

cd /tmp
unzip bsd-amd64-filebeat-main.zip
cd bsd-amd64-filebeat-main
cp ./filebeat /usr/local/sbin/filebeat
cp ./filebeat.yml /usr/local/etc/filebeat.yml
mkdir /var/db/beats/filebeat/
cp -rvp var_lib/filebeat/ /var/db/beats/filebeat/
cp ./filebeat_service.sh /usr/local/etc/rc.d/filebeat
cp ./filebeat_service.sh /usr/local/etc/rc.d/filebeat.sh
echo "filebeat_enable=YES" >> /etc/rc.conf.local

Configuration

Customize the filebeat.yml file with the Elatic Stack authentication details.

vi /usr/local/etc/filebeat.yml 

# The kibana and elasticsearch sections...
output.elasticsearch:
  hosts: ['https://yourElasticIp.com:9200']
  ssl.verification_mode: "none"
  username: elastic
  password: "censored#ChangeToYours"
  pipeline: geoip-info

Test the configuration and output.

#$ filebeat -path.home /var/db/beats/filebeat -path.config /usr/local/etc test config

results:
Config OK

#$ filebeat -path.home /var/db/beats/filebeat -path.config /usr/local/etc test output

results:
elasticsearch: https://10.3.3.102:30036...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 10.3.3.102
    dial up... OK
  TLS...
    security... WARN server's certificate chain verification is disabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 7.15.0

Run the setup command.

#$ filebeat -path.home /var/db/beats/filebeat -path.config /usr/local/etc setup

Start the service.

service filebeat start

In Kibana->Security->Overview filebeat network events should appear.

bsd-amd64-filebeat's People

Contributors

elastickent avatar kennethbrake avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.