Beats

Logmanager support log receive from beats services. Logmanager runs logstash service, this service supports only encrypted connections using TLS 1.3 protocol.

Logmanager automatically do following actions for each received event from beats:

1. Adding real meta.src.ip from received packet
2. Automaticaly decodes received JSON message and put it into message[“structured_data”] parser variable.
3. Vendor classification and parsing if data comes from known beats source (winlobeat).

You can use message[“structured_data”] system variable in all parts of message processing (classifiers, parsers, alerts). This variable automatically contains decoded JSON message from beats in raw form for all messages received using beat plugin. You can also use testing windows to verify you have configured everything correctly.

1. Download latest MSI winlogbeat installation under open source Apache license from this address: https://www.elastic.co/downloads/beats/winlogbeat-oss
2. Install downloaded MSI.
3. Create minimal configuration file: „c:\ProgramData\Elastic\Beats\winlogbeat\winlogbeat.yml“ with folowing content

###################### Winlogbeat Configuration Example ########################
#======================= Winlogbeat specific options ===========================
winlogbeat.event_logs:
- name: Application
    ignore_older: 15m
- name: Setup
    ignore_older: 15m
- name: System
    ignore_older: 15m
- name: Security
    ignore_older: 15m
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["example.com:5044"]
pipelining: 4
ssl.enabled: true
ssl.verification_mode: none

4. Run service manager and manualy start “Elasticsearch Winlogbeat” service (after reboot service will start automatically).

More configurations options can be found here: https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-howto-winlogbeat.html

YML file requires spaces at correct places, so please copy carefully!

This example config file contains only minimal configuration to send basic windows logs to LM server.

1. Download latest MSI winlogbeat installation under open source Apache license from this address: https://www.elastic.co/downloads/beats/winlogbeat-oss
2. Install downloaded MSI.
3. Run powershell script winlogbeat_monitor-all-channels.ps1 as administrator.

1. Download latest MSI winlogbeat installation under open source Apache license from this address: https://www.elastic.co/downloads/beats/filebeat-oss
2. Install downloaded MSI.
3. Create minimal configuration file: „c:\ProgramData\Elastic\Beats\filelogbeat\winlogbeat.yml“ with folowing content

###################### Filebeat configuration example ########################
filebeat.inputs:
- type: log
    paths:
    - c:\example\example.log
    tags: ["example"]
    tail_files: true
    max_bytes: 64000

#you can use beats tags, to create easier classification based on file custom tag in Logmanager.
# ------------------------------ Logstash Output -------------------------------
output.logstash:
    hosts: ["example.com:5044"]
    pipelining: 4
    ssl.enabled: true
    ssl.verification_mode: none

The atributes max_bytes and tail_files are very important for proper functionality. Without them, the Logmanager trunk all incoming Beats file messages that exceed size limit of 64 000 bytes. Every truncated message will be automatically marked as truncated. The internal system is not designed to collect messages that exceed these limits.

It is also recommended to use a lower value than 64 000 bytes to avoid unnecessary increase in the amount of data stored on the Logmanager side.

4. Run service manager and manualy start “Elasticsearch filebeat” service (after reboot service will start automatically)

YML file requires spaces at correct places, so please copy carefully!