Beats
Logmanager supports receiving logs from beats services. Logmanager runs the logstash service, this service supports only encrypted connections using the TLS 1.3 protocol.
Logmanager automatically takes following actions for each received event from beats:
- Adding real meta.src.ip from received packet
- Automaticaly decodes received JSON message and puts it into the message[“structured_data”] parser variable.
- Vendor classification and parsing if data comes from known beats source (winlobeat).
You can use the message[“structured_data”] system variable in all parts of message processing (classifiers, parsers, alerts). This variable automatically contains decoded a JSON message from beats in raw form for all messages received using the beat plugin. You can also use testing windows to verify you have configured everything correctly.
- Download the latest MSI winlogbeat installation under open source Apache license from this address: https://www.elastic.co/downloads/beats/winlogbeat-oss
- Install the downloaded MSI.
- Create a minimal configuration file: „c:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml“ with folowing content:
###################### Winlogbeat Configuration Example ########################
#======================= Winlogbeat specific options ===========================
winlogbeat.event_logs:
- name: Application
ignore_older: 15m
- name: Setup
ignore_older: 15m
- name: System
ignore_older: 15m
- name: Security
ignore_older: 15m
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["example.com:5044"]
pipelining: 4
ssl.enabled: true
ssl.verification_mode: none
This example config file contains only minimal configuration to send basic windows logs to LM server.
- Run service manager and manualy start the “Elasticsearch Winlogbeat” service (after reboot, the service will start automatically).
More configuration options can be found here: https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-howto-winlogbeat.html
YML file requires spaces at correct places, so please copy carefully!
- Download the latest MSI winlogbeat installation under open source Apache license from this address: https://www.elastic.co/downloads/beats/winlogbeat-oss
- Install the downloaded MSI.
- Run powershell script winlogbeat_monitor-all-channels.ps1 as administrator.
- Run service manager and manualy start the “Elasticsearch Winlogbeat” service (after reboot, the service will start automatically).
- Download the latest MSI winlogbeat installation under open source Apache license from this address: https://www.elastic.co/downloads/beats/filebeat-oss
- Install the downloaded MSI.
- Create a minimal configuration file: „c:\ProgramData\Elastic\Beats\filelogbeat\winlogbeat.yml“ with folowing content:
###################### Filebeat configuration example ########################
filebeat.inputs:
- type: log
paths:
- c:\example\example.log
tags: ["example"]
tail_files: true
max_bytes: 64000
#you can use beats tags, to create easier classification based on file custom tag in Logmanager.
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["example.com:5044"]
pipelining: 4
ssl.enabled: true
ssl.verification_mode: none
The atributes max_bytes and tail_files are very important for proper functionality. Without them, the Logmanager trunk all incoming Beats file messages that exceed size limit of 64 000 bytes. Every truncated message will be automatically marked as truncated. The internal system is not designed to collect messages that exceed these limits. It is also recommended to use a lower value than 64 000 bytes to avoid unnecessary increase in the amount of data stored on the Logmanager side.
- Run service manager and manualy start the “Elasticsearch Filebeat service (after reboot, the service will start automatically).
YML file requires spaces at correct places, so please copy carefully!