Scriptbeat Installation and Setup
Conditional Designations
HOST_LOGSTASH- Logstash host addressSB_HOME- SAF Beat installation home directory, usually for Linux it's - for Linux -/app/SAFBeat/, for Windows -C:\Program Files\SAFBeat\
General Information
Scriptbeat is a Search Anywhere Framework agent used for agent-based data collection from target hosts. It is used to execute binary files and scripts through specified interpreters (PowerShell, Python, Bash, etc.) and transfer the results of their execution to storage systems.
Configuration Structure
Configuration consists of the following blocks:
schedule- settings for running executable scriptsoutput- destination for collected dataprocessors- optional block for filtering and enriching data
scriptbeat.schedule Block
This block defines the logic for running one or more scripts.
| Parameter | Type | Description |
|---|---|---|
command | String | Path to interpreter or executable file (e.g., python, bash, powershell.exe). |
args | List (Strings) | Path to script. Multiple scripts can be specified. |
period | String | Execution schedule. Format depends on selected scheduletype. |
scheduletype | String | Scheduler logic type: interval (e.g., 1m, 1h) or cron (e.g., 0 19 * * *). |
Settings in this section need to be adapted for the specific agent operating system.
Configuration examples for Windows:
- Cron
- Interval
scriptbeat:
schedule:
- command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
scheduletype: cron
period: "0 19 * * *"
args:
- '. "C:\Program Files\SAFBeat\config\apps\check_auth.ps1"'
- '. "C:\Program Files\SAFBeat\config\apps\check_logs.ps1"'
scriptbeat:
schedule:
- command: 'C:\Users\Admin\AppData\Local\Programs\Python\Python311\python.exe'
scheduletype: interval
period: 15m
args:
- 'C:\Program Files\SAFBeat\check_auth.py'
- 'C:\Program Files\SAFBeat\check_logs.py'
In Windows operating system, backslash must be used when specifying paths: \.
Configuration examples for Linux:
- Cron
- Interval
scriptbeat:
schedule:
- command: /bin/bash
period: "0 2 * * *"
args:
- "/home/admin/scripts/daily_report.sh"
scheduletype: cron
scriptbeat:
schedule:
- command: /usr/bin/python3
period: 30s
args:
- "/opt/SAFBeat/checks/system_health.py"
scheduletype: interval
Configuration examples for macOS:
- Cron
- Interval
scriptbeat:
schedule:
- command: /bin/zsh
period: "0 8 * * *"
args:
- "-c"
- "/Users/admin/scripts/cleanup_logs.sh"
scheduletype: cron
scriptbeat:
schedule:
- command: /opt/homebrew/bin/python3
period: 5m
args:
- "/Users/admin/scripts/check_metrics.py"
scheduletype: interval
Scriptbeat allows configuring different scripts to run with independent intervals or separate cron schedules:
scriptbeat:
schedule:
- command: /usr/bin/python3
period: 1m
args:
- "/opt/SAFBeat/checks/system_health.py"
scheduletype: interval
- command: /bin/bash
period: "0 2 * * *"
args:
- "/opt/SAFBeat/reports/daily_report.sh"
scheduletype: cron
To run a script at fixed time intervals, use scheduletype: interval. Interval can be set in seconds, minutes, and hours.
| Format | Description | Example | Value |
|---|---|---|---|
Xs | Interval in seconds | 30s | Every 30 seconds |
Xm | Interval in minutes | 5m | Every 5 minutes |
Xh | Interval in hours | 12h | Every 12 hours |
scheduletype: interval supports combining interval formats. For example: 1m30s, 2h30m.
To run a script according to calendar schedule, use scheduletype: cron. Format: minute hour day month day_of_week.
| Expression Example | Description | Value |
|---|---|---|
"*/5 * * * *" | Every 5 minutes | Run at 00, 05, 10... minutes of each hour |
"0 9 * * 1-5" | Weekdays at 9 AM | Monday-Friday at 09:00 |
"0 0 * * *" | Daily at midnight | Every day at 00:00 |
"0 19 * * *" | Daily in the evening | Every day at 19:00 |
"0 0 1 * *" | 1st day of month | Monthly at 00:00 |
output Block
Only one type of output can be active in configuration.
- output.logstash
- output.file
- output.console
Used to send data to Logstash pipeline.
| Parameter | Type | Required | Description |
|---|---|---|---|
hosts | List | Yes | List of Logstash addresses in format ["host:port"]. |
loadbalance | Boolean | No | If true, events are distributed between nodes. Default: false. |
worker | Integer | No | Number of parallel threads for sending data. Default: 1. |
compression_level | Integer | No | Gzip compression level (0 to 9). Default: 3. |
ssl.certificate_authorities | List | No | Paths to root certificates (CA). |
ssl.certificate | String | No | Path to client certificate. |
ssl.key | String | No | Path to client certificate. |
ssl.verification_mode | String | No | SSL verification mode: full or none. |
Configuration example:
output.logstash:
hosts: ["<HOST_LOGSTASH_1>:51121", "<HOST_LOGSTASH_2>:51121"]
loadbalance: true
worker: 1
compression_level: 2
ssl.certificate: "$SB_HOME/cert/cert.pem"
ssl.key: "$SB_HOME/cert/key.pem"
ssl.certificate_authorities: "$SB_HOME/cert/ca-cert.pem"
Used to write data to files on disk.
| Parameter | Type | Required | Description |
|---|---|---|---|
path | String | Yes | Directory path where files will be written. |
filename | String | Yes | File names. |
rotate_every_kb | Integer | No | Maximum file size. When this size is reached, a new file is created. |
number_of_files | Integer | No | Maximum number of files to keep in path. When this number is reached, the oldest file is deleted. |
permissions | Integer | No | File creation permissions. |
rotate_on_startup | Boolean | No | If true, if filename already exists, a new file will be created instead of writing to existing one. |
Configuration example:
output.file:
path: "/tmp/filebeat"
filename: filebeat
rotate_every_kb: 10000
number_of_files: 7
permissions: 0600
rotate_on_startup: true
Console output writes events in JSON format to stdout.
Console output should only be used for debugging as it can generate large amounts of data.
Configuration example:
output.console:
pretty: true
processors Block
Used for preprocessing data before sending.
Some valid parameters:
add_host_metadata: adds host information (IP, OS name, ID)drop_event: deletes entire event if specified condition is metdecode_json_fields: parses JSON string from script output into structured fields
processors configuration example:
processors:
- drop_event:
when:
regexp:
message: "^DBG:"
- decode_json_fields:
fields: ["field1", "field2", ...]
- add_host_metadata
In this example, drop_event removes all DEBUG events based on condition, decode_json_fields decodes field1 and field2 containing JSON strings into JSON objects. Host data from which data came is added to original data: add_host_metadata.
Configuration Setup
1. Data Collection Setup
Open configuration file and add scriptbeat.schedule block. Specify:
command- full path to interpreter or executable fileargs- path to script to executescheduletype- schedule type:interval(interval) orcron(calendar)period- schedule value (e.g.,5mor0 9 * * *)
Configuration example for running script every 5 minutes:
scriptbeat:
schedule:
- command: /usr/bin/python3
scheduletype: interval
period: 5m
args:
- "/opt/SAFBeat/checks/system_health.py"
2. Data Output Setup
Add one output block that matches your infrastructure.
Example sending to Logstash:
output.logstash:
hosts: ["<HOST_LOGSTASH>:51121"]
worker: 2
Example writing to file:
output.file:
path: "/var/log/scriptbeat"
filename: "events.log"
Example console output:
output.console:
pretty: true
3. Data Processing (optional)
If required, add processors block for processing data before sending.
For example, to add host metadata, add:
processors:
- add_host_metadata
Final working configuration example:
scriptbeat.schedule:
- command: /usr/bin/python3
scheduletype: interval
period: 5m
args:
- "/opt/SAFBeat/checks/system_health.py"
output.logstash:
hosts: ["<HOST_LOGSTASH>:51121"]
worker: 2
processors:
- add_host_metadata
Further Scriptbeat setup is similar to other Beats. More details in the corresponding article.