If you have logstash already install and configured to collect events from desired eventsources you can skip this section.
As a starting point, view the list of input plugins here: Input Plugins. This is not meant to be an exhaustive list, just as a starting point to view some of the available input plugins.
The remainder of this section describes some examples.
Collect Apache File Logs
Typically, Apache logs are written to files on the disk, so to collect events from file you could use the Filebeat plugin.
To install and configure Filebeat, see the following websites:
- Install the Filebeat service on Linux. Refer to the following link: Filebeat Installation
- Configure Filebeat to collect from specific logs. Refer to the following link: Filebeat Configuration
- Configure Filebeat to send the output to Logstash. Refer to the following link: Filebeat Logstash Output
Collect CentOS Audit Logs
To collect audit events from an operating system (for example CentOS), you could use the Auditbeat plugin.
To install and configure Auditbeat, see the following websites:
- Install the Auditbeat service on Linux. Refer to the following link: Auditbeat Installation
- Configure Auditbeat to collect from specific logs. Refer to the following link: Auditbeat Configuration
- Configure Auditbeat to send the output to Logstash. Refer to the following link: Auditbeat Logstash Output
Configure Parameters for Filebeat or Auditbeat
For Filebeat or Auditbeat plugin, make sure to configure input and output parameters. Modify /etc/filebeats/filebeat.yml as shown below.
To enable file collection, modify the Filebeat inputs section as shown in the following image:
Modify the Outputs as follows:
- Comment out settings in the Elasticsearch Output section
- Uncomment Logstash output settings and provide logstash IP and Port.
Below is an example of the sections after changes are made:
Configure Logstash Filters to Add NetWitness Meta
In order for an event to be processed in the Log Decoder as a specific data type, you need to add some meta key information to the event in Logstash.
- [@metadata][nw_type] — NetWitness device parser content name
- [@metadata][nw_msgid] — NetWitness message pattern to parse message
- [@metadata][nw_source_host] — Originating event source's IP or host value
Note: The value for nw_type must match the device parser name. It should be composed of lowercase characters, numbers, or underscore and be less than 29 characters in length.
Optionally, you can add the following meta key:
[@metadata][nw_collection_host] — Collection system identifier (lc.cid)
By default, the NetWitness codec sends the complete JSON event as payload to the NetWitness Log Decoder. If the NetWitness nw_type device parser type has a custom payload format and failover payload format, the NetWitness codec plugin must be configured to use them. Please see the Configure the Event Source section for more details.
The following code snippet contains an example of adding the required meta:
Code to Populate NetWitness Meta
filter { |
if ![@metadata][nw_type] { |
if [agent][type] == "filebeat" { |
mutate { |
add_field => { |
"[@metadata][nw_type]" => "linux" |
"[@metadata][nw_msgid]" => "LOGSTASH001" |
"[@metadata][nw_source_host]" => "%{[host][hostname]}" |
} |
} |
} |
} |
} |