Tutorial Build and install filebeat on arm and arm64 devices using Armbian

[_r9]

Tested this on clearfog base, banana pi m64, banana pi m2+

 

## Building and providing

The elastic team doesn't provide deb packages for ARM devices. But together with docker, we're able to build the main executable for it. We will create a build directory which includes anything to install filebeat on a ARM device. So please stay inside the build directory the whole time you are using this tutorial.

 mkdir build && cd $_

 

 

## Prepare source code

First we will download, check and extract the source code of filebeat. Source: https://www.elastic.co/downloads/past-releases/filebeat-7-6-2

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-linux-x86.tar.gz
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-linux-x86.tar.gz.sha512
sha512sum filebeat-7.6.0-linux-x86.tar.gz

 

Extract and prepare

tar xfz filebeat-7.6.0-linux-x86.tar.gz --transform 's/filebeat-7.6.0-linux-x86/filebeat-latest/'

 
## Using docker
Install docker on any machine you want. We use a host with Debian Buster installed.

### Install docker on a Debian Buster x64 machine

sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
wget -q -O - https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian stretch stable
apt update
sudo apt install docker-ce

 

Instantiate a go container for cross-compilation (Debian Buster x64)
Using latest docker go image

docker run -it --rm -v `pwd`:/build golang:1.14 /bin/bash

 

Inside the "go" docker container create filebeat for arm modules.listand arm64

go get github.com/elastic/beats
cd /go/src/github.com/elastic/beats/filebeat/
git checkout v7.6.0
GOARCH=arm go build
cp filebeat /build/filebeat-arm
GOARCH=arm64 go build
cp filebeat /build/filebeat-arm64
exit

 

You can find the filebeat executeable inside your build directory. Leave it there for the moment.

## Download installation scripts    
I wrote an install script and collected a few files from other filebeat installations and uploaded them to github.com.
You can find any information on the github repository itself. So we will clone the repository to the build directory.

git clone https://github.com/rothirschtec/RT-Blog-elastic.git

## Filebeat configuration
Now you have to copy the filebeat.yml so that that the install.sh we'll use later on can move it to the right place.

cp filebeat-latest/filebeat.yml my-filebeat.yml

   

and change it to your needs

vi my-filebeat.yml

 

## Other configurations
There are other configurations that might interests you.

cp filebeat-latest/modules.d/YOUR_MODULE.yml.disabled my-YOUR_MODULE.yml

 

Change this files too

vi my-YOUR_MODULE.yml

   

The install script will loop through all .yml files starting with my- and will copy them to the right direction

 

## Ready for installation
The build directory is ready to use. You are able to upload the build directory to a ARM server of your choice and execute the install.sh there.

rsync -av --exclude={".git","*.tar.gz","*.tar.gz.sha512"} ../build/ server-of-your-choice:/opt/build/
ssh server-of-your-choice
cd /opt/build/
bash /opt/build/RT-Blog-elastic/install.sh
rm -rf /opt/build/

 

## Modules

You're able to enable modules with the installation script. Create a file called modules.list inside the build directory and write the modules separated by whitespaces like
 

iptables system apache