Running Filebeat on ARM



  • I'd like to take advantage of Filebeat on my Raspberry Pi 3B+ (currently running the latest version of Raspbian) to send logs to an external system, but from everything I have read, there is no package for it for ARM (unless you run ArchLinux, that is). This post from the Elastic community states they do not officially support ARM.

    I found this blog someone wrote about building Filebeat from scratch so it would work on ARM, so if I go for it, I would follow their steps and just make necessary tweaks for newer versions of go, etc. The author shows how to build Filebeat for ARM and then how to install and configure, but the interesting thing in my opinion is that there was no mention of how well Filebeat worked long term.

    Has anyone here gone through the process and had it work out well? For reference, the repo for Filebeat is here. I'd appreciate any thoughts / feedback.



  • But building something gets complicated because you will have to deal with rebuilding it on kernel changes I do believe.

    Can you not find any other way to get the data off this system?



  • @JaredBusch said in Running Filebeat on ARM:

    But building something gets complicated because you will have to deal with rebuilding it on kernel changes I do believe.

    Can you not find any other way to get the data off this system?

    Oh man, that's a point I had not considered.

    I thought about trying the Splunk Universal Forwarder as an option but had not signed up for Splunk free so I can use it. The back-end system to which I am sending logs (which is not Splunk) can accept logs sent via Raw TCP (which I believe the Splunk Universal Forwarder should do for me) or logs sent using Filebeat.



  • @NetworkNerd said in Running Filebeat on ARM:

    @JaredBusch said in Running Filebeat on ARM:

    But building something gets complicated because you will have to deal with rebuilding it on kernel changes I do believe.

    Can you not find any other way to get the data off this system?

    Oh man, that's a point I had not considered.

    I thought about trying the Splunk Universal Forwarder as an option but had not signed up for Splunk free so I can use it. The back-end system to which I am sending logs (which is not Splunk) can accept logs sent via Raw TCP (which I believe the Splunk Universal Forwarder should do for me) or logs sent using Filebeat.

    Wazuh uses filebeat. You could just use a wazuh agent and accomplish the same thing.



  • @IRJ said in Running Filebeat on ARM:

    @NetworkNerd said in Running Filebeat on ARM:

    @JaredBusch said in Running Filebeat on ARM:

    But building something gets complicated because you will have to deal with rebuilding it on kernel changes I do believe.

    Can you not find any other way to get the data off this system?

    Oh man, that's a point I had not considered.

    I thought about trying the Splunk Universal Forwarder as an option but had not signed up for Splunk free so I can use it. The back-end system to which I am sending logs (which is not Splunk) can accept logs sent via Raw TCP (which I believe the Splunk Universal Forwarder should do for me) or logs sent using Filebeat.

    Wazuh uses filebeat. You could just use a wazuh agent and accomplish the same thing.

    That's a good point, but I don't see ARM support for Wazuh listed in their compatibility matrix unless I've just missed it.



  • @NetworkNerd said in Running Filebeat on ARM:

    @IRJ said in Running Filebeat on ARM:

    @NetworkNerd said in Running Filebeat on ARM:

    @JaredBusch said in Running Filebeat on ARM:

    But building something gets complicated because you will have to deal with rebuilding it on kernel changes I do believe.

    Can you not find any other way to get the data off this system?

    Oh man, that's a point I had not considered.

    I thought about trying the Splunk Universal Forwarder as an option but had not signed up for Splunk free so I can use it. The back-end system to which I am sending logs (which is not Splunk) can accept logs sent via Raw TCP (which I believe the Splunk Universal Forwarder should do for me) or logs sent using Filebeat.

    Wazuh uses filebeat. You could just use a wazuh agent and accomplish the same thing.

    That's a good point, but I don't see ARM support for Wazuh listed in their compatibility matrix unless I've just missed it.

    It appears to be supported. This is from 3.8.0 release notes

    61841e4d-5253-4298-be15-05b6226d07e6-image.png



  • @IRJ could be unsupported officially, but they still want to make it work.



  • @scottalanmiller said in Running Filebeat on ARM:

    @IRJ could be unsupported officially, but they still want to make it work.

    If you use wazuh, the ARM device would not use filebeat. It would be done from wazuh server. All ARM client would do is submit its logs on 1514 UPD



  • I think my approach to this would be this: Keep your endpoints simple.

    Take a look at what the system comes with. From a quick check, I'm almost certain both CentOS and Fedora ship with rsyslog, which would lead me to believe that the Pi would have that or something very similar. If not, rsyslog does at least have an ARM package.

    That native syslog package should almost certainly have the capability to send it's messages (or generally any you might want to specify) to a remote server. I would configure that to push out to a remote server of your choice and do any parsing, filtering, or manipulating server-side. That way you don't have to worry about keeping a package up to date, or ensuring you have a system/application specific configuration. The generic config you'll end up with can, in theory, be applied to anything running linux.

    Hope this helps.



  • @FiyaFly said in Running Filebeat on ARM:

    Take a look at what the system comes with. From a quick check, I'm almost certain both CentOS and Fedora ship with rsyslog, which would lead me to believe that the Pi would have that or something very similar. If not, rsyslog does at least have an ARM package.

    Pi runs Debian.



  • @JaredBusch said in Running Filebeat on ARM:

    @FiyaFly said in Running Filebeat on ARM:

    Take a look at what the system comes with. From a quick check, I'm almost certain both CentOS and Fedora ship with rsyslog, which would lead me to believe that the Pi would have that or something very similar. If not, rsyslog does at least have an ARM package.

    Pi runs Debian.

    Yeah, I don't have any debian-based systems I can check right now, but I know it still has the mechanism built-in. Just might not be rsyslog.