From 50e0c8d9cdb1d4c0c41cc622d95a1372c04143e2 Mon Sep 17 00:00:00 2001
From: Thorsten Sick <thorsten.sick@avast.com>
Date: Fri, 14 Jan 2022 11:37:37 +0100
Subject: [PATCH] Fixing filebeat

---
 experiment_control.py                         |  0
 .../linux_filebeat/filebeat_template.conf     |  2 +-
 .../linux_filebeat/linux_filebeat_plugin.py   | 23 ++++++++++++++-----
 3 files changed, 18 insertions(+), 7 deletions(-)
 mode change 100644 => 100755 experiment_control.py

diff --git a/experiment_control.py b/experiment_control.py
old mode 100644
new mode 100755
diff --git a/plugins/default/sensors/linux_filebeat/filebeat_template.conf b/plugins/default/sensors/linux_filebeat/filebeat_template.conf
index 249d6be..125babd 100644
--- a/plugins/default/sensors/linux_filebeat/filebeat_template.conf
+++ b/plugins/default/sensors/linux_filebeat/filebeat_template.conf
@@ -8,7 +8,7 @@ filter {}
 
 output {
  file {
-   path => "{{playground}}/filebeat.json"
+   path => "/tmp/filebeat_collection.json"
    codec => json
    id => "id_filebeat"
    create_if_deleted => true
diff --git a/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py b/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py
index fa04c3e..b1128d5 100644
--- a/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py
+++ b/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py
@@ -62,8 +62,10 @@ class LinuxFilebeatPlugin(SensorPlugin):
 
         # Cleanup
         self.run_cmd(f"rm {pg}/filebeat.json")
-        self.run_cmd(f"touch {pg}/filebeat.json")
-        self.run_cmd(f"chmod o+w {pg}/filebeat.json")
+        # self.run_cmd(f"touch {pg}/filebeat.json")
+        # self.run_cmd(f"chmod o+w {pg}/filebeat.json")
+        self.run_cmd("touch /tmp/filebeat_collection.json")
+        self.run_cmd("sudo chown logstash:logstash /tmp/filebeat_collection.json")
 
         return False
 
@@ -75,11 +77,18 @@ class LinuxFilebeatPlugin(SensorPlugin):
     def start(self):
 
         self.run_cmd("sudo filebeat modules enable system iptables")
-        self.run_cmd("sudo filebeat setup --pipelines --modules iptables,system,")
+        self.run_cmd("sudo filebeat setup --pipelines --modules iptables,system,")    # check with sudo filebeat modules list
         # self.run_cmd("sudo systemctl start logstash.service")
-        self.run_cmd("sudo nohup /usr/share/logstash/bin/logstash  -f /etc/logstash/conf.d/filebeat.conf &", disown=True)
+        # self.run_cmd("sudo nohup /usr/share/logstash/bin/logstash  -f /etc/logstash/conf.d/filebeat.conf &", disown=True)
+        self.run_cmd("sudo chown logstash:logstash filebeat.json")  # check with: systemctl status logstash.service
+        self.run_cmd("sudo systemctl start logstash")   # check with: systemctl status logstash.service
+        self.run_cmd("sudo systemctl enable logstash")  # check with: systemctl status logstash.service
         time.sleep(20)
-        self.run_cmd("sudo service filebeat start")
+        self.run_cmd("sudo systemctl start filebeat")  # check with: systemctl status filebeat.service
+        self.run_cmd("sudo systemctl enable filebeat")  # check with: systemctl status filebeat.service
+
+        # Check the logs: sudo journalctl -u filebeat.service
+        # Check the logs: sudo journalctl -u logstash.service
 
         return None
 
@@ -91,6 +100,8 @@ class LinuxFilebeatPlugin(SensorPlugin):
         """ Collect sensor data """
 
         pg = self.get_playground()
+        breakpoint()
         dst = os.path.join(path, "filebeat.json")
-        self.get_from_machine(f"{pg}/filebeat.json", dst)  # nosec
+        # self.get_from_machine(f"{pg}/filebeat.json", dst)  # nosec
+        self.get_from_machine("/tmp/filebeat_collection.json", dst)  # nosec
         return [dst]