Logstash TCP Output
In order to send the events from Logstash to NetWitness, we use the TCP output plugin: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-tcp.html
The TCP output is configured with the NetWitness codec, which formats the outgoing events to be consumable by a NetWitness Log Decoder or Virtual Log Collector (VLC).
The following is an example of a properly configured output block using TCP & the NetWitness codec:
Logstash TLS Output
The output block can be further configured to allow for TLS communication between Logstash and NetWitness. An example of a properly configured output block using TLS and the NetWitness codec:
TLS with Log Decoder (or Virtual Log Collector) Verification
TLS can also be set up to verify the Log Decoder or Virtual Log Collector (VLC) to which it will be communicating. To do this, the Root and Intermediate CA certificates need to be obtained and stored in a truststore for Logstash.
On the Log Decoder (or VLC) to which you will be sending events, run the following command:
cat /etc/pki/nw/ca/nwca-cert.pem /etc/pki/nw/ca/ssca-cert.pem > nw-truststore.pem
- Copy the nw-truststore.pem file to the Logstash machine and store it in a known location.
- Create a certificate for the Logstash machine using a self-signed CA or your own CA.
Store the cert and private key files in a location of your choosing.
The following code snippet shows an example of a properly configured output block using TLS and the NetWitness codec