Filebeat

Filebeat is a lightweight shipper for logs. You can use it to collect logs from endpoints and store them centrally in Elastic. You can use it to collect logs from Linux systems, but it also works on Apple OSX. Installing filebeat is straightforward

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.15.0-darwin-x86_64.tar.gz
tar xzvf filebeat-7.15.0-darwin-x86_64.tar.gz
ln -s filebeat-7.15.0-darwin-x86_64 filebeat

After installing filebeat you have to enable the system module

sudo filebeat/filebeat enable system

Then update the configuration file (filebeat/filebeat.yml)

- type: log
  enabled: true
  paths:
    - /var/log/install.log

setup.ilm.enabled: auto
setup.ilm.rollover_alias: "filebeat-cudeso"
setup.ilm.pattern: "{now}-000001"
setup.ilm.policy_name: "filebeat-cudeso"

output.elasticsearch:
  hosts: ["elastic:9200"]

Daemon

I used the information from a support post on the Elastic site: https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/11. This post describes what needs to be in the plist and how to add it to launchd.

Create the file /Library/LaunchDaemons/co.elastic.filebeat.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>co.elastic.filebeat</string>
    <key>ProgramArguments</key>
    <array>
        <string>/Users/john/Scripts/filebeat/filebeat</string>
        <string>-c</string>
        <string>/Users/john/Scripts/filebeat/filebeat.yml</string>
	<string>--strict.perms=false</string>
    </array>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

Register the daemon

launchctl load /Library/LaunchDaemons/co.elastic.filebeat.plist 

Then verify the daemon is running and check the filebeat logs.