Rothirsch Technologies Hintergrund



In this tutorial we will describe situation about our daily use with ARM devices and elastic


Building and providing

The elastic team doesn’t provide deb packages for ARM devices. But together with docker, we’re able to build the main executable for it. We will create a build directory which includes anything to install filebeat on a ARM device. So please stay inside the build directory the whole time you are using this tutorial.

mkdir build && cd $_

Prepare source code

First we will download, check and extract the source code of filebeat. Source:

sha512sum filebeat-7.6.0-linux-x86.tar.gz

Extract and prepare

tar xfz filebeat-7.6.0-linux-x86.tar.gz --transform 's/filebeat-7.6.0-linux-x86/filebeat-latest/'

Using docker

Install docker on any machine you want. We use a host with Debian Buster installed

Install docker on a Debian Buster x64 machine

sudo apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common
wget -q -O - | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] stretch stable
apt update
sudo apt install docker-ce

Instantiate a go container for cross-compilation (Debian Buster x64) Using latest docker go image

docker run -it --rm -v `pwd`:/build golang:1.14 /bin/bash

Inside the “go” docker container create filebeat for arm and arm64

go get
cd /go/src/
git checkout v7.6.0
GOARCH=arm go build
cp filebeat /build/filebeat-arm
GOARCH=arm64 go build
cp filebeat /build/filebeat-arm64

You can find the filebeat executeable inside your build directory. Leave it there for the moment.

Download installation scripts

I wrote an install script and collected a few files from other filebeat installations and uploaded them to You can find any information on the github repository itself. So we will clone the repository to the build directory.

git clone

Filebeat configuration

Now you have to copy the filebeat.yml so that that the we’ll use later on can move it to the right place.

cp filebeat-latest/filebeat.yml my-filebeat.yml

and change it to your needs

vi my-filebeat.yml

Other configurations

There are other configurations that might interests you.

cp filebeat-latest/modules.d/YOUR_MODULE.yml.disabled my-YOUR_MODULE.yml

Change this files too

vi my-YOUR_MODULE.yml

The install script will loop through all .yml files starting with my- and will copy them to the right direction

Ready for installation

The build directory is ready to use. You are able to upload the build directory to a ARM server of your choice and execute the there.

rsync -av --exclude={".git","*.tar.gz","*.tar.gz.sha512"} ../build/ server-of-your-choice:/opt/build/
ssh server-of-your-choice
cd /opt/build/
bash /opt/build/RT-Blog-elastic/
rm -rf /opt/build/


You’re able to enable modules with the installation script. Create a file called modules.list inside the build directory and write the modules separated by whitespaces like

iptables system apache



Armbian article

Elastic and ARM