SAF Beat for Linux
SAF Beat can work with any version of ElasticBeat, but if you plan to send data directly to OpenSearch, then the ElasticBeat version should be 7.12.1 (or 7.10.2 is a more stable version). If you plan to use Logstash, then the ElasticBeat version does not matter, but it is better to use the same version as Logstash (8.9.x). Read more on the official website.
Symbols
$SB_HOME-SAF Beatinstallation home directory, for Linux -/app/SAFBeat/, for Windows -C:\Program Files\SAFBeat\.
Installing and running SAF Beat
Use the SAF Beat version corresponding to the OS bit depth.
To install SAF Beat on Linux OS, you need to open the terminal under the root user to execute commands. Before unpacking the archive, you need to create a directory and a user under which the agent will work:
mkdir /app/safBeat
useradd --no-create-home --system --user-group sbm
In some cases, a group of the same name may not be created automatically for the user. Make sure that the user belongs to a group of the same name (in the example above, sbm), or create a group manually and add a user to it:
groupadd sbm
usermod -aG sbm sbm
In the SAF installation archive, in the directory $SM_INSTALLER/utils/safBeat/ there are executable files (the file extension elf - executable linux file may be present) of the agents, copy the appropriate bit depth and OS type, for example:
cp $SM_INSTALLER/utils/safBeat/safBeat-linux-x64-* /app/safBeat/safBeat
chmod +x /app/safBeat/safBeat
To install SAF Beat, run the executable file with the install flag:
/app/safBeat/safBeat install
chown -Rf sbm:sbm /app/safBeat
The structure of files and directories is created only during the launch of SAF Beat. If any file already exists, it will not be created.
To run SAF Beat, run the following command:
systemctl start safBeat.service
In order to find out if the service is working, you need to run the command:
systemctl status safBeat.service
Additional settings
Using pre-generated certificates
To use ready-made certificates and the SAF Beat private key, follow these steps:
- Stop the SAF Beat service via
systemd - In the
${SB_HOME}/cert/directory, delete all existing certificates and private keys - Transfer the existing CA certificate, certificate and SAF Beat private key to the same directory
${SB_HOME}/cert/ - Edit, if necessary, the configuration file
${SB_HOME}/config/config.yaml:ssl.cert_ca- specify the name of the CA's x509 certificatessl.node_cert- file name of the x509 SAF Beat certificate
ssl.node_key- file name of the SAF Beat private keyssl.enable: true- enable SSL/TLSssl.verify: true- enable validation of the SAF Beat server certificate Manager- Start the SAF Beat service via
systemd
It is recommended to generate certificates with the following parameters:
keyUsage = critical, digitalSignature, keyEnciphermentextendedKeyUsage = serverAuth, clientAuthSubject Alternative Name- specify all possible IP and domain names of the server where the agent is installed
To generate a certificate, you can use the utility provided in the installer: $SM_INSTALLER/utils/ssl-tls-gen/gencerts.sh .
Using self-signed certificates
If the ssl.enable:true parameter is set in the ${SB_HOME}/config/config.yaml configuration, then the agent will check for the presence of ssl.node_cert and ssl.node_key files at startup, and in their absence it will generate self-signed certificates using the same paths.
The interaction between SAF Beat and SAF Beat Manager can be used with encryption, but without checking the certificates themselves, it is enough to set the following parameters:
ssl.node_certis the file name of the x509 SAF Beat certificatessl.node_keyis the file name of the SAF Beat private keyssl.enable: true- enable SSL/TLSssl.verify: false- disable validation of the SAF Beat Manager server certificate
User Change
In order to understand the user under whom SAF Beat works, it is necessary to manage the state:
- Turn on the SAF Beat system via
systemd - Replace the delimiters
${SB_HOME}and all user files and folders, example:chown -R $USER:$USER $SB_HOME/ - Add a split to something completely new for the SAF Beat user
- Lock the
/etc/systemd/system/safBeat.servicefile and specify theUserfield for the new user - Connect the
systemdserver
[Unit]
Description=SAF Beat
[Service]
User=safbeat
WorkingDirectory=/opt/safbeat
ExecStart=/opt/safbeat/safBeat
Restart=always
[Install]
WantedBy=multi-user.target
Changing the GUID
The GUID is formed based on the UUID of the disk that is mounted on the root of the file system. At startup, SAF Beat calculates the GUID and in the absence of the file ${SB_HOME}/config/guid.yml stores the received value in it. With an existing file, it compares the received value and the value in the file and writes the result in a log file.
If the virtual servers were cloned, then a situation may arise in which the UUIDs will be the same, for this you should add salt when generating the GUID. In the configuration file ${SB_HOME}/config/config.yaml, you need to add the parameter guid_salt. Currently, you can add 2 tokens, which are calculated for each server:
<IP>- substitutes the IP address from which themanager.hostserver is accessed or the value from theagent.ipparameter is taken (must be real, otherwise it will be selected randomly)<MAC>- substitutes the MAC of a network device that has the IP address obtained above
To change the SAF Beat GUID, follow these steps:
- Stop the SAF Beat service via
systemd - Delete the file
${SB_HOME}/config/guid.yml - Edit the configuration file
${SB_HOME}/config/config.yamland make changes to the parameterguid_salt- specify the necessary "salt", it is recommended to use the value from the tokens<IP> <MAC> - Start the SAF Beat service via
systemd
Description of the configuration file
The configuration file ${SB_HOME}/config/config.yaml consists of the following parameters:
| Parameter | Description | Default value |
|---|---|---|
guid_salt | Salt when generating GUID for SAF Beat. | <IP> <MAC> |
heartbeat.min_condition | The minimum connection frequency of SAF Beat. | 1m0s (1 minute) |
heartbeat.multiplier | Multiplier of the minimum connection frequency. | 2 |
heartbeat.max_condition | The maximum connection frequency. | 1h0m0s (1 hour) |
manager.host | Host (IP address or DNS name) SAF Beat Manager. | localhost |
manager.port | Port of SAF Beat Manager. | 7767 |
agent.ip | The IP address of the agent. It is used in the case of multiple network interfaces to select the agent's IP address to be sent to the SAF Beat Manager. The specified ip address must be assigned to one of the host's network interfaces, otherwise the parameter will be filled with the default value. An optional parameter. | The IP address of the network interface of the host through which the request to the SAF Beat Manager passes. |
agent.tags | An array of agent labels. On the SAF Beat Manager side, it is not used yet. Optional parameter. | [] |
agent.send_addrs | Enabling sending information about the host's network interfaces. If the value is true, then an array of addrs objects will be sent to SAF Beat Manager, where each object consists of three fields inter - the interface name, hwaddr - the physical address of the interface, ipv4 - the ip address assigned to the interface. On the SAF Beat Manager side, it is not used yet. Optional parameter. | true |
rotation.rotation_time | The frequency of rotation of the logging file. | 24h (24 hours) |
rotation.max_age | Lifetime of the logging file. | 168h (1 week) |
rotation.max_size | Limit the size of the logging file. | 10485760 (10 MB) |
rotation.log_level | Logging level. It can take the values trace, debug, info, warn, error, fatal'. It is recommended to use the debug` level for debugging. | info |
rotation.log_path | Directory for saving logs. | ./logs |
ssl.verify | Checking ssl certificates when securely connected to SAF Beat Manager. | false |
ssl.enable | Secure connection to SAF Beat Manager. | true |
ssl.cert_ca | Path to the CA of the certificate. | ./cert/ca-cert.pem |
ssl.node_cert | Path to generate the node certificate. | ./cert/node-cert.pem |
ssl.node_key | Path to generate the node key. | ./cert/node-key.pem |