Skip to content

Collecting from Beats or Logstash

Configuration of TeskaLabs LogMan.io

The basic configuration snipplet of the collector:

input:Lumberjack:logstash:
  output: ...

logstash is an input identified and can be replaced by anything unique within the configuration file

address specifies an network interface and/or a port that will be used for listening. The default value is '5044', to listen on tcp/5044.

Optional smart attribute can be used to specify a smart map, when connected to the output:CommLink.

Tip

The protocol used for this extraction is called Lumberjack and by default runs on tcp/5044 with optional SSL. Log source classes input:Lumberjack:, input:Logstash: and input:Beats: are actually synonyms.

SSL configuration

The incoming SSL is detected automatically.

The following configuration options specify the SSL connection:

  • cert: Path to the client SSL certificate
  • key: Path to the private key of the client SSL certificate
  • password: Private key file password (optional, default: none)
  • cafile: Path to a PEM file with CA certificate(s) to verify the SSL server (optional, default: none)
  • capath: Path to a directory with CA certificate(s) to verify the SSL server (optional, default: none)
  • cadata: one or more PEM-encoded CA certificates to verify the SSL server (optional, default: none)
  • ciphers: SSL ciphers (optional, default: none)
  • dh_params: Diffie–Hellman (D-H) key exchange (TLS) parameters (optional, default: none)
  • verify_mode: One of CERT_NONE, CERT_OPTIONAL or CERT_REQUIRED (optional); for more information, see: github.com/TeskaLabs/asab

Configuration of Beats

This log source can be used to collect logs using Beats family of tools. Beats are lightweight data shippers from Elastic.

Supported Beats:

Configuration snipplet:

output.logstash:
  hosts: ["<collector>:5044"]

Example of winlogbeat configuration

winlogbeat.yaml:

output.logstash:
  hosts: ["<collector>:5044"]

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System
    ignore_older: 72h

  - name: Security
    ignore_older: 72h

  - name: Setup
    ignore_older: 72h

  - name: Microsoft-Windows-Sysmon/Operational
    ignore_older: 72h

  - name: Microsoft-Windows-Windows Defender/Operational
    ignore_older: 72h

  - name: Microsoft-Windows-GroupPolicy/Operational
    ignore_older: 72h

  - name: Microsoft-Windows-TaskScheduler/Operational
    ignore_older: 72h

  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    ignore_older: 72h

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
    ignore_older: 72h

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
    ignore_older: 72h

  - name: ForwardedEvents
    tags: [forwarded]

logging.to_files: true
logging.files:
  rotateeverybytes: 10485760 # = 10MB
  keepfiles: 7

Example of filebeat configuration

filebeat.yaml:

output.logstash:
  hosts: ["<collector>:5044"]

filebeat.inputs:
  - type: filestream
    fields:
      stream: <stream name>
    paths:
      - /path/to/the/file.log