The instructions provided below specify the steps to build Beats 8.17.4 on Linux on IBM Z for the following distributions:

• RHEL (8.8, 8.10, 9.2, 9.4, 9.5)
• SLES 15 SP6
• Ubuntu (22.04, 24.04)

General Notes:

• When following the steps below please use a standard permission user unless otherwise specified.

• A directory /<source_root>/ will be referred to in these instructions, this is a temporary writable directory anywhere you'd like to place it.

If you want to build Beats using manual steps, go to STEP 2.

Use the following commands to build Beats using the build script. Please make sure you have wget installed.

wget -q https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Beats/8.17.4/build_beats.sh

# Build Beats
bash build_beats.sh   [Provide -t option for executing build with tests]

If the build completes successfully, go to STEP 4. In case of error, check logs for more details or go to STEP 2 to follow manual build steps.

export SOURCE_ROOT=/<source_root>/
export PATCH_URL="https://raw.githubusercontent.com/linux-on-ibm-z/scripts/master/Beats/8.17.4/patch"

• RHEL (8.8, 8.10)

  sudo yum install -y git curl make wget tar gcc gcc-c++ libpcap-devel openssl openssl-devel which acl zlib-devel patch systemd-devel libjpeg-devel python3.11 python3.11-devel bzip2-devel gdbm-devel libdb-devel libffi-devel libuuid-devel ncurses-devel readline-devel sqlite-devel tk-devel xz xz-devel

• RHEL (9.2, 9.4, 9.5)

  sudo yum install -y git curl make wget tar gcc gcc-c++ libpcap-devel openssl openssl-devel which acl zlib-devel patch systemd-devel libjpeg-devel python3.11 python3.11-devel bzip2-devel gdbm-devel libdb-devel libffi-devel libuuid-devel ncurses-devel readline-devel sqlite-devel tk-devel xz xz-devel

• SLES 15 SP6

  sudo zypper install -y git curl gawk make wget tar gcc gcc-c++ libpcap libpcap-devel acl patch libsystemd0 systemd-devel libjpeg62-devel openssl libopenssl-devel zlib-devel gzip gdbm-devel libbz2-devel libdb-4_8-devel libffi-devel libnsl-devel libuuid-devel ncurses-devel readline-devel sqlite3-devel tk xz-devel timezone

• Ubuntu (22.04, 24.04)

  sudo apt-get update
  sudo DEBIAN_FRONTEND=noninteractive apt-get install -y git curl make wget tar gcc g++ libcap-dev libpcap0.8-dev openssl libssh-dev acl rsync tzdata patch fdclone libsystemd-dev libjpeg-dev libffi-dev libbz2-dev libdb-dev libgdbm-dev liblzma-dev libncurses-dev libreadline-dev libsqlite3-dev libssl-dev tk-dev uuid-dev xz-utils zlib1g-dev

• Install Python 3.11.4

  Python >= 3.7 is required for running tests. Install Python 3.11.4 using the following script:

  wget -q https://www.python.org/ftp/python/3.11.4/Python-3.11.4.tgz
  tar -xzf Python-3.11.4.tgz
  cd Python-3.11.4
  ./configure --prefix=/usr/local --exec-prefix=/usr/local
  make
  sudo make install
  export PATH=/usr/local/bin:$PATH
  

  Set the newly installed Python as default.

  sudo update-alternatives --install /usr/bin/python python /usr/local/bin/python3.11 10 # except for RHEL 8.x 
  sudo update-alternatives --install /usr/local/bin/python3 python3 /usr/bin/python3.11 10 # for RHEL 9.x
  sudo update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.11 10 # except for RHEL 9.x
  sudo update-alternatives --display python3
  python3 -V

• Install pip (for Ubuntu, RHEL 8.x, RHEL 9.x and SLES)

  wget --no-check-certificate https://bootstrap.pypa.io/get-pip.py
  python3 get-pip.py
  rm get-pip.py

• Install below dependencies

  pip3 install wheel -v
  pip3 install "cython<3.0.0" pyyaml==6.0.2 --no-build-isolation -v

• Install rustc

  cd $SOURCE_ROOT
  wget --no-check-certificate -O rustup-init.sh https://sh.rustup.rs
  bash rustup-init.sh -y
  export PATH=$PATH:$HOME/.cargo/bin
  rustup toolchain install 1.76.0
  rustup default 1.76.0

cd $SOURCE_ROOT
wget --no-check-certificate https://go.dev/dl/go1.22.0.linux-s390x.tar.gz
chmod ugo+r go1.22.0.linux-s390x.tar.gz
sudo tar -C /usr/local -xzf go1.22.0.linux-s390x.tar.gz
export PATH=$PATH:/usr/local/go/bin
sudo ln /usr/bin/gcc /usr/bin/s390x-linux-gnu-gcc     # For RHEL & SLES
go version

export GOPATH=$(go env GOPATH)
mkdir -p $GOPATH
export PATH=$GOPATH/bin:$PATH

The default permissions of files in the GOPATH directory should not have write access for group or others. Check default permissions using the below commands

cd $GOPATH
touch test && ls -la test && rm test

If group or others have write access to this test file, then we have to change the default permissions using ACL.

sudo setfacl -dm u::rwx,g::r,o::r $GOPATH
cd $GOPATH
touch test && ls -la test && rm test

If you get an error like setfacl: Operation not supported. ACL might be disabled on your filesystem. To enable ACL refer the below links:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-access_control_lists (RHEL)
https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-security-acls.html (SLES) https://help.ubuntu.com/community/FilePermissionsACLs (Ubuntu)

Please note that ACL cannot be enabled or modified from NFS client.

export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=true
export PYTHON_EXE=python3
export PYTHON_ENV=/tmp/venv3
mkdir -p $GOPATH/src/github.com/elastic
cd $GOPATH/src/github.com/elastic
git clone -b v8.17.4 https://github.com/elastic/beats.git
cd beats
curl -sSL ${PATCH_URL}/metricbeat.patch | git apply
cd $GOPATH/src/github.com/elastic
git clone -b v0.6.0 https://github.com/elastic/ebpfevents.git
cd ebpfevents
curl -sSL ${PATCH_URL}/ebpfevents.patch | git apply - || error "ebpfevents patch"
go install golang.org/x/tools/cmd/stringer@latest
export PATH=$PATH:$(go env GOPATH)/bin
go generate ./...

Currently Beats available for linux are: filebeat, packetbeat, metricbeat, heartbeat and auditbeat.

Notes: Not all distros listed above are supported by each Beat, see https://www.elastic.co/support/matrix.

• For filebeat, packetbeat and heartbeat

cd $GOPATH/src/github.com/elastic/beats/<beat_name>
make
make update
make fmt
make unit
make system-tests

• For auditbeat

cd $GOPATH/src/github.com/elastic/beats/auditbeat
go mod edit -replace=github.com/elastic/[email protected]=$GOPATH/src/github.com/elastic/ebpfevents
go mod tidy
make build
make update
make fmt
cd $GOPATH/src/github.com/elastic
git clone -b v0.1.0 https://github.com/elastic/tk-btf.git
cd tk-btf
curl -sSL ${PATCH_URL}/tk-btf.patch | git apply - || error "tk-btf patch"
go generate ./...
cd $GOPATH/src/github.com/elastic/beats/auditbeat
go mod edit -replace=github.com/elastic/[email protected]=$GOPATH/src/github.com/elastic/tk-btf
go mod tidy
make test

• For metricbeat

cd $GOPATH/src/github.com/elastic/beats/metricbeat
go install github.com/magefile/mage@latest
mage build
mage update
mage fmt
mage test

• Adding to /usr/bin

sudo cp "./<beat_name>" /usr/bin/

For example, for Packetbeat:

cd $GOPATH/src/github.com/elastic/beats/packetbeat
make packetbeat
make update
make fmt
make unit
make system-tests

• Adding Packetbeat to /usr/bin

sudo cp "./packetbeat" /usr/bin/

Notes:

• We are skipping integration-test as it uses dockerfiles and docker images specific to x86.
• Below tests are failing on s390x and x86
  github.com/elastic/beats/v7/filebeat/input/journald
github.com/elastic/beats/v7/metricbeat/module/system/service

To run a Beat use the command as shown below.

cd $GOPATH/src/github.com/elastic/beats/<beat_name>
sudo ./<beat_name> -e -c <beat_name>.yml -d "publish"

For example, for Packetbeat:

cd $GOPATH/src/github.com/elastic/beats/packetbeat
sudo ./packetbeat -e -c packetbeat.yml -d "publish"

Notes:

If you get an error like CRIT Exiting: error loading config file: config file ("<beat_name>.yml") must be owned by the beat user (uid=0) or root,either change the owner of the yml file to root user

sudo chown root <beat_name>.yml
sudo ./<beat_name> -e -c <beat_name>.yml -d "publish"

or disable strict permission and ownership check from commandline

 sudo ./<beat_name> -strict.perms=false -e -c <beat_name>.yml -d "publish"

• https://www.elastic.co/guide/en/beats/devguide/current/beats-contributing.html
• https://www.elastic.co/guide/en/beats/libbeat/8.17/beats-reference.html