Elastic Beats are lightweight "data shippers". Filebeat's role in ROCK is to do just this: ship file data to the next step in the pipeline.
The following ROCK components depend on Filebeat to send their log files into the Kafka message queue:
Suricata - writes alerting data into
FSF - writes static file scan results to
The filebeat service is configured and enabled on startup. This can be verified with either:
$ sudo rockctl status
$ sudo systemctl status filebeat
The configuration path for Filebeat is found at: