Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Logstash:Configure the Event Source

Document created by RSA Information Design and Development Employee on Sep 9, 2020
Version 1Show Document
  • View in full screen mode
 

If you have logstash already install and configured to collect events from desired eventsources you can skip this section.

As a starting point, view the list of input plugins here: Input Plugins. This is not meant to be an exhaustive list, just as a starting point to view some of the available input plugins.

The remainder of this section describes some examples.

Collect Apache File Logs

Typically, Apache logs are written to files on the disk, so to collect events from file you could use the Filebeat plugin.

To install and configure Filebeat, see the following websites:

  1. Install the Filebeat service on Linux. Refer to the following link: Filebeat Installation
  2. Configure Filebeat to collect from specific logs. Refer to the following link: Filebeat Configuration
  3. Configure Filebeat to send the output to Logstash. Refer to the following link: Filebeat Logstash Output

Collect CentOS Audit Logs

To collect audit events from an operating system (for example CentOS), you could use the Auditbeat plugin.

To install and configure Auditbeat, see the following websites:

  1. Install the Auditbeat service on Linux. Refer to the following link: Auditbeat Installation
  2. Configure Auditbeat to collect from specific logs. Refer to the following link: Auditbeat Configuration
  3. Configure Auditbeat to send the output to Logstash. Refer to the following link: Auditbeat Logstash Output

Configure Parameters for Filebeat or Auditbeat

For Filebeat or Auditbeat plugin, make sure to configure input and output parameters. Modify /etc/filebeats/filebeat.yml as shown below.

To enable file collection, modify the Filebeat inputs section as shown in the following image:

filebeats input path parameter example

Modify the Outputs as follows:

  • Comment out settings in the Elasticsearch Output section
  • Uncomment Logstash output settings and provide logstash IP and Port.

Below is an example of the sections after changes are made:

filebeat output parameters example

Configure Logstash Filters to Add NetWitness Meta

In order for an event to be processed in the Log Decoder as a specific data type, you need to add some meta key information to the event in Logstash.

  • [@metadata][nw_type] — NetWitness device parser content name
  • [@metadata][nw_msgid] — NetWitness message pattern to parse message
  • [@metadata][nw_source_host] — Originating event source's IP or host value

Note: The value for nw_type must match the device parser name. It should be composed of lowercase characters, numbers, or underscore and be less than 29 characters in length.

Optionally, you can add the following meta key:

[@metadata][nw_collection_host] — Collection system identifier (lc.cid)

By default, the NetWitness codec sends the complete JSON event as payload to the NetWitness Log Decoder. If the NetWitness nw_type device parser type has a custom payload format and failover payload format, the NetWitness codec plugin must be configured to use them. Please see the Configure the Event Source section for more details.

The following code snippet contains an example of adding the required meta:

Code to Populate NetWitness Meta

                                          
filter {
  if ![@metadata][nw_type] {
    if [agent][type] == "filebeat" {
      mutate {
        add_field => {
          "[@metadata][nw_type]" => "linux"
          "[@metadata][nw_msgid]" => "LOGSTASH001"
          "[@metadata][nw_source_host]" => "%{[host][hostname]}"
        }
      }
    }
  }
}

You are here
Table of Contents > Configure Event Source

Attachments

    Outcomes