One liner for filebeat install on pfsense/opnsense for Suricata.

install.sh

#!/bin/sh

BEATVER="6.8.6"

read -r -p "What is the Logstash host:port? " HOST_TARG
echo ">$HOST_TARG"

CURR_DIR=$(pwd)

function exiting {
	echo "Cleaning up..."
	/bin/rm filebeat*
	cd $CURR_DIR
	exit $?
}

trap exiting EXIT
trap exiting SIGINT
trap exiting SIGTERM

# Stop filebeat if it's already running...
if [ -f /usr/local/etc/rc.d/filebeat ]; then
  echo -n "Stopping filebeat service..."
  /usr/sbin/service filebeat stop
  echo " done."
fi

#Remove current version and config
echo "Removing filebeat..."
/usr/sbin/pkg remove -y beats
/bin/rm /usr/local/etc/rc.d/filebeat.sh
/bin/rm /usr/local/etc/filebeat.yml
echo " done."

#Install new version
echo -n "Installing filebeat..."
/usr/sbin/pkg add -f https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/beats-6.8.6.txz
echo " done."

echo "Downloading missing filebeat packages..."

cd /tmp
/usr/local/bin/curl -o filebeat-$BEATVER-linux-x86_64.tar.gz https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-$BEATVER-linux-x86_64.tar.gz
/usr/local/bin/curl -o filebeat-$BEATVER-linux-x86_64.tar.gz.sha512 https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-$BEATVER-linux-x86_64.tar.gz.sha512
sha256 -c filebeat-$BEATVER-linux-x86_64.tar.gz.sha512
/usr/bin/tar zxvf filebeat-$BEATVER-linux-x86_64.tar.gz
/bin/mv filebeat-$BEATVER-linux-x86_64/modules.d /var/db/beats/filebeat/
/bin/mv filebeat-$BEATVER-linux-x86_64/module /var/db/beats/filebeat/

echo "done."

# Make filebeat auto start at boot
echo -n "Installing rc script..."
/bin/cp /usr/local/etc/rc.d/filebeat /usr/local/etc/rc.d/filebeat.sh
echo " done."

# Add the startup variable to rc.conf.local.
# In the following comparison, we expect the 'or' operator to short-circuit, to make sure the file exists and avoid grep throwing an error.
if [ ! -f /etc/rc.conf.local ] || [ $(grep -c filebeat_enable /etc/rc.conf.local) -eq 0 ]; then
  echo -n "Enabling filebeat service..."
  echo "filebeat_enable=YES" >> /etc/rc.conf.local
  echo " done."
fi

echo "Adding filebeat config to /usr/local/etc/filebeat.yml"
cat > /usr/local/etc/filebeat.yml <<EOF
filebeat.config:
  modules:
    enabled: false
    path: /var/db/beats/filebeat/modules.d/*.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - "/var/log/suricata/eve.json*"

  fields_under_root: true
  fields:
    event.type: suricata
    tags: ["suricata","json"]

- type: log
  paths:
    - "/var/syslog-ng/default.log"
  fields_under_root: true
  fields:
    tags: ["pfsense"]

output.logstash:
  hosts: ["$HOST_TARG"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

logging.to_syslog: false
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat.log
  keepfiles: 4
EOF
echo "done."


# Start it up:
echo -n "Starting filebeat service..."
/usr/sbin/service filebeat start
echo "done."

read -r -p "Install filebeat kibana settings? [y/N] " response
case "$response" in
  [yY])
    read -p "What is the Kibana host:port? " KIBANA_HOST
    read -p "What is the ElasticSearch host:port? " ELASTIC_HOST
    echo "Bypassing Logstash and installing index templates and dashboards..."
    /usr/local/sbin/filebeat -c /usr/local/etc/filebeat.yml setup -e \
      -E output.logstash.enabled=false \
      -E output.elasticsearch.hosts=['$ELASTIC_HOST'] \
      -E setup.kibana.host=$KIBANA_HOST \
      -E path.home=/var/db/beats/filebeat
    echo "done."
    ;;
  *)
    echo "Skipping" ;;
esac    
echo "Finished install!"