Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Logstash:Configure Logstash Output Plugins

Document created by RSA Information Design and Development Employee on Sep 9, 2020
Version 1Show Document
  • View in full screen mode
 

Logstash TCP Output

In order to send the events from Logstash to NetWitness, we use the TCP output plugin: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-tcp.html

The TCP output is configured with the NetWitness codec, which formats the outgoing events to be consumable by a NetWitness Log Decoder or Virtual Log Collector (VLC).

The following is an example of a properly configured output block using TCP & the NetWitness codec:

Output Block

                           
output {
  tcp {
    id => "nw-output-tcp"
    host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
    port => 514
    codec => netwitness
  }
}

Logstash TLS Output

The output block can be further configured to allow for TLS communication between Logstash and NetWitness. An example of a properly configured output block using TLS and the NetWitness codec:

TLS Output Block

                              
output {
  tcp {
    id => "nw-output-tcp"
    host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
    port => 6514
    ssl_enable => true
    codec => netwitness
  }
}

TLS with Log Decoder (or Virtual Log Collector) Verification

TLS can also be set up to verify the Log Decoder or Virtual Log Collector (VLC) to which it will be communicating. To do this, the Root and Intermediate CA certificates need to be obtained and stored in a truststore for Logstash.

  1. On the Log Decoder (or VLC) to which you will be sending events, run the following command:

    cat /etc/pki/nw/ca/nwca-cert.pem /etc/pki/nw/ca/ssca-cert.pem > nw-truststore.pem

  2. Copy the nw-truststore.pem file to the Logstash machine and store it in a known location.
  3. Create a certificate for the Logstash machine using a self-signed CA or your own CA.
  4. Store the cert and private key files in a location of your choosing.

    Note: You need to specify the locations of these files in your TLS output block.

The following code snippet shows an example of a properly configured output block using TLS and the NetWitness codec

Output Block with Verification

                                          
output {
  tcp {
    id => "nw-output-tcp"
    host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
    port => 6514
    ssl_enable => true
    ssl_verify => true
    ssl_cacert => "/path/to/certs/nw-truststore.pem"
    ssl_key => "/path/to/certs/privkey.pem"
    ssl_cert => "/path/to/certs/cert.pem"
    codec => netwitness
  }
}

You are here
Table of Contents > Configure Logstash Output Plugins

Attachments

    Outcomes