Configuring a Standard SAF Beat Application

Important!

It is assumed that SAF Beat Manager is already installed on the target host. If it is not yet installed, please refer to the Installing SAF Beat Manager.

Notation and Definitions

• HOST_LOGSTASH — IP logstash
• HOST_OS_DATA — IP address of the node with the data role
• USERNAME_OS — SAF username, required for configuring and accessing OpenSearch
• PASSWORD_OS — Password for the SAF user
• HOST_SBM — IP address of the host where SAF Beat Manager is installed
• SBM_HOME — is the installation path of SAF Beat Manager, usually it is /app/SAFBeatManager/
• SB_HOME — SAF Beat installation home directory, for Linux - /app/SAFBeat/, for Windows - C:\Program Files\SAF Beat

Configuring a Standard SAF Beat Application Using the Web Interface

Downloading Beats Packages

Before proceeding with the configuration, you must download the required Beats packages, including the appropriate distributions. In the examples below, these include Metricbeat, Winlogbeat, and Filebeat. Distributions are available for download from the official OpenSearch.

Uploading Beats Files to SAF Beat Manager

This section shows how to upload a file using Filebeat as an example. The steps are the same for other Beats components.

To upload a Beats file to SAF Beat Manager, go to the Binaries section under SAF Beat Management (Main Menu - SAF Beat Management - Binaries) in the web interface.

Upload the file by either clicking the file selector button or dragging and dropping the file into the drag-and-drop area.

Once the file is fully uploaded, click the Upload button.

After successful upload, the file will appear in the list of available configurations.

SAF Beat Application Configuration

The steps described in this section apply to all Beats.

To create a SAF Beat application, navigate to the Apps section in the SAF Beat Management interface (Main Menu - SAF Beat Management - Apps).

Click the Create button to open the application configuration window.

Configuring an Application for Linux Metrics Collection

In the Name field, enter a name for the new application, for example: metricbeat. Leave the default application type as Beat. In the Agent Type field, select metricbeat.

Before uploading the configuration file, you need to manually create and configure a metricbeat.yml file. Below is an example configuration for metricbeat.yml:

metricbeat.modules:
- module: system
  metricsets:
    - cpu
    - memory
    - network
    - filesystem
    - diskio
  enabled: true


output.logstash:
  hosts: ["<HOST_LOGSTASH>:51121"]
  ssl.certificate: "$SB_HOME/cert/cert.pem"
  ssl.key: "$SB_HOME/cert/key.pem"
  ssl.certificate_authorities: "$SB_HOME/cert/ca-cert.pem"

The metricbeat.modules section configures the metric collection parameters. In this example, the system, module is enabled to collect standard OS-level system metrics. Themetricsets array defines the specific metrics to be collected: CPU usage, memory consumption, network stats, disk usage, and filesystem data. For more details on available options, refer to the official Elastic documentation. To activate the module, the enabled parameter must be set to true.

In the output.logstash section, specify the IP and port of the Logstash instance in the hosts field (e.g., 51121). This section also includes SSL parameters required to establish a secure connection between the Beat agent and Logstash for data transfer.

Important!

All file paths in the configuration must be relative to the target server's file system, where the agent is running—not to the SAF Beat Manager server.

In the Configuration Settings section, upload the previously created and configured file by either clicking the upload button or dragging the file into the drag-and-drop area.

As a result, your application settings will look like this:

Click the Save button to finalize the setup.

Configuring an Application for Collecting Windows Events

In the Name field, enter a name for the application, for example: winlogbeat. Leave the application type as default – Beat. In the Agent Type field, select winlogbeat.

Before uploading the configuration file, you must first create and configure a winlogbeat.yml file. Below is an example configuration:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

setup.template.name: "winlogbeat"
setup.template.pattern: "winlogbeat"

output.elasticsearch:
  hosts: ["<HOST_LOGSTASH>:51122"]
  ssl.certificate: "C:\\Program Files\\SAF Beat\\cert\\node-cert.pem"
  ssl.key: "C:\\Program Files\\SAF Beat\\cert\\node-key.pem"
  ssl.certificate_authorities: "C:\\Users\\user\\Documents\\ca-cert.pem"

The winlogbeat.event_logs section defines the list of Windows event logs to collect. A detailed description of the available parameters can be found in the official Elastic documentation.

Important!

When specifying file paths in Windows configuration files, backslashes must be escaped using double backslashes \\.

In the Configuration Settings section, upload the previously created configuration file by clicking the upload button or dragging the file into the drag-and-drop area.

The resulting application settings will appear as follows:

Click the Save button.

Configuring an Application for File Log Reading

In the Name field, enter a name for the application, for example: filebeat. Leave the application type as default – Beat. In the Agent Type field, select filebeat.

Before uploading the configuration file, you must first create and configure a filebeat.yml file.

The file can be created and edited on any available operating system. Below is an example configuration for filebeat.yml:

filebeat.inputs:
  - type: filestream
    id: log-secure
    paths:
      - "/var/log/nginx.log"

output.logstash:
  hosts: ["<HOST_LOGSTASH>:51123"]
  ssl.certificate: "$SB_HOME/cert/cert.pem"
  ssl.key: "$SB_HOME/cert/key.pem"
  ssl.certificate_authorities: "$SB_HOME/cert/ca-cert.pem"

In the filebeat.inputs section, the following parameters are set:

• type: filestream — used for reading active log files
• id — a unique identifier for the input; useful when multiple inputs are defined
• paths — a path or list of paths (with wildcard support) to the log files being read

The output.logstash section is configured in the same way as described in the metricbeat.

In the Configuration Settings section, upload the previously created configuration file by clicking the upload button or dragging the file into the drag-and-drop area.

The resulting application settings will appear as follows:

Click the Save button.

Group Configuration

The steps described in this section apply to all Beats.

To create a Smart Beat group, go to the Groups section of the SAF Beat Management interface (Main Menu - SAF Beat Management -Groups).

Click the Create button to open the group configuration window.

Key information about the fields:

• Name - sets the group name for the agents. It is recommended to use meaningful and descriptive names to simplify identifying the group’s purpose later
• Apps – defines the list of configurations to be launched using Beats listed in the Binaries section
• Binaries – lists all the required Beats distributions that will be used for this group
• Filters – used to define agents (by name, ID, or IP) that should interact with SAF Beat Manager. You can specify multiple values and use wildcards with the * symbol
• Exclusions – used to exclude agents (by name, ID, or IP) that should not be managed by SAF Beat Manager. Multiple values and wildcards with * are also supported
• Systems – specifies the system type that the SAF Beat Manager will interact with

Group Configuration for metricbeat

• In the Name field, enter: Linux Metricbeat
• In the Apps field, select the previously created application metricbeat
• In the Binaries field, select the previously uploaded Beats distribution, e.g.: metricbeat-oss-8.6.2-linux-x86_64.tar.gz
• In the Filters field, list the agent names, IDs, or IPs separated by commas. In this case, an ID is used
• In the Exclusions field, specify any agents to exclude by name, ID, or IP, also comma-separated
• In the Systems field, select linux-amd64

After filling in all fields, the group configuration will look like this:

Click the Save button.

Group Configuration for winlogbeat

• In the Name field, enter: Windows Events
• In the Apps field, select the previously created application winlogbeat
• In the Binaries field, select the previously uploaded archive, e.g.: winlogbeat-8.9.2-windows-x86_64.zip
• In the Filters field, list agent names, IDs, or IPs separated by commas. In this case, names and wildcards are used
• In the Exclusions field, specify agents to exclude by name, ID, or IP, separated by commas
• In the Systems field, select windows-amd64

After completing the fields, the group configuration will look like this:

Click the Save button.

Group Configuration for filebeat

• In the Name field, enter: Linux Filebeat
• In the Apps field, select the previously created application filebeat
• In the Binaries field, select the previously uploaded Beats distribution, e.g.: filebeat-8.17.3-linux-x86_64.tar.gz
• In the Filters field, list agent names, IDs, or IPs separated by commas. In this case, an IP address is used
• In the Exclusions field, specify agents to exclude by name, ID, or IP, separated by commas
• In the Systems field, select linux-amd64

After completing the fields, the group configuration will look like this:

Click the Save button.

This concludes the SAF Beat application configuration.

Configuration Using Configuration Files (Not Recommended)

Installing Beats

First, you need to download the Beats distributions you intend to use. Refer to the section Downloading Beats Files for instructions.

Copy the downloaded Beats distributions to the host where SAF Beat Manager is installed, and change the file ownership to the sbm user. Example command (files downloaded to ~/binaries/):

sudo cp ~/binaries/*  $SBM_HOME/binaries/ && sudo chown -Rf sbm:sbm $SBM_HOME/ && ll $SBM_HOME/binaries/

Configuring serverclasses.yml

Open the serverclasses.yml file located in the $SBM_HOME/etc directory and add the necessary configuration parameters. Below is an example of the file content:

- name: Linux Metricbeat
  apps:
  - metricbeat_linux
  binaries:
  - metricbeat-oss-8.6.2-linux-x86_64.tar.gz
  systems:
  - linux-amd64
  filters:
  - 31d7dfc783bs39d6ead9c721153289de44d1047d56ca96456c873df481a4c3d1
  - 3F2504E0-4F89-11D3-9A0C-0305E82C3301
- name: Windows Events
  apps:
  - winlogbeat_events
  binaries:
  - winlogbeat-8.9.2-windows-x86_64.zip
  systems:
  - windows-amd64
  filters:
  - "prod_*"
  - "test_server"
- name: Linux Filebeat
  apps:
  - filebeat_linux
  binaries:
  - filebeat-oss-8.7.1-linux-x86_64.tar.gz
  systems:
  - linux-amd64
  filters:
  - 172.16.0.1

Attention!

YAML format is indentation-sensitive. Make sure you follow indentation rules exactly.

• name - sets the group name for the agents. It is recommended to use meaningful and descriptive names to help identify the group’s purpose in the future
• apps - defines the list of configurations to be launched using the Beats binaries specified in the binariesblock. The names must exactly match the directory names under $SBM_HOME/apps, and each configuration name must begin with the prefix of the Beat type, e.g., filebeat_
• filters - specifies agent names, IDs, or IP addresses. Multiple values are allowed, including wildcard masks using *
• systems - defines the operating system type. In this example, two client types are used (Linux and Windows), and the systems field is included accordingly
• binaries - lists all Beats distributions to be used for this group

Attention!

The values in the binaries section may not match your actual files. Be sure to verify the correct distribution names in the $SBM_HOME/binaries directory.

Attention!!

The apps, filters, binaries, name fields are mandatory.

Example: Configuring a Linux Metricbeat Application

Metricbeat will be used to collect Linux metrics in this example.

Create a directory with a name that exactly matches the one defined in the apps field of your serverclasses.yml file:

sudo -u sbm mkdir $SBM_HOME/apps/metricbeat_linux

Create and open the configuration file for editing:

sudo -u sbm nano $SBM_HOME/apps/metricbeat_linux/metricbeat.yml

To configure the metricbeat.yml file, refer to the section Configuring an Application for Linux Metrics Collection, where a configuration example is provided.

Example: Configuring an Application for Collecting Windows Events

This section demonstrates how to configure winlogbeat to collect and forward events from the Windows Event Log.

Create a directory with a name that exactly matches the one specified in the apps field of the serverclasses.yml configuration file:

sudo -u sbm mkdir $SBM_HOME/apps/winlogbeat_events

Create and open the configuration file for editing:

sudo -u sbm nano $SBM_HOME/apps/metricbeat_linux/winlogbeat.yml

To configure the winlogbeat.yml file, refer to the section Configuring an Application for Collecting Windows Events, which provides an example configuration.

Example: Configuring an Application for Reading Log Files

This section demonstrates how to configure filebeat to collect and forward events from log files (e.g., .log, .json, .txt).

Create a directory with a name that exactly matches the one specified in the apps field of the serverclasses.yml configuration file:

sudo -u sbm mkdir $SBM_HOME/apps/filebeat_linux

Create the configuration file and open it for editing:

sudo -u sbm nano $SBM_HOME/apps/metricbeat_linux/filebeat.yml

To configure the winlogbeat.yml file, refer to the section Configuring an Application for File Log Reading, which provides an example configuration.

Applying Configuration Changes

To apply changes, SAF Beat Manager must reload its configuration. This can be done in one of the following ways:

• restart the service using systemd

sudo systemctl restart SAFBeatManager

• use the SAF Beat Manager API

curl -k https://<HOST_SBM>:7769/reload -u sbm