Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Filebeat per host remoto —

L’agent sugli hosts remoti è filebeat quindi anche su questi ultimi si dovrà eseguire la procedura:
root@sangiorgio:/home/guardian# wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add –
OK
root@sangiorgio:/home/guardian# apt install apt-transport-https
root@sangiorgio:/home/guardian# echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | tee /etc/apt/sources.list.d/elastic-7.x.list
deb https://artifacts.elastic.co/packages/7.x/apt stable main
root@sangiorgio:/home/guardian# apt install filebeat
root@sangiorgio:/home/guardian# update-rc.d filebeat defaults

Il file /etc/filebeat/filebeat.yml va modificato in questo modo:
# ============================== Filebeat inputs ===============================


# filestream is an input for collecting log messages from files. It is going to replace log input in the future.
– type: filestream

# Change to true to enable this input configuration.
enabled: true

# Paths that should be crawled and fetched. Glob based paths.
paths:
# – /var/log/*.log
– /var/log/syslog
– /var/log/nftables.log
– /var/log/suricata/eve.json
#- c:\programdata\elasticsearch\logs\*
# =================================== Kibana ===================================

setup.kibana:

# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: “IP_di_ardito:5601”

# —————————- Elasticsearch Output —————————-
#output.elasticsearch:
# Array of hosts to connect to.
# hosts: [“localhost:9200”]

# —————————— Logstash Output ——————————-
output.logstash:
# The Logstash hosts
hosts: [“IP_di_ardito:5044”]

Dopo di che filebeat modules enable suricata  system
Enabled system
Enabled suricata
/etc/init.d/filebeat start
un rapido controllo con filebeat test config che restituisce:
Config OK
e filebeat test output che restituisce
logstash: IP_di_ardito:5044…
connection…
parse host… OK
dns lookup… OK
addresses: IP_di _ardito
dial up… OK
TLS… WARN secure connection disabled
talk to server… OK

 

Tagged with: | | |

Categorised as: Linux | Networking | Web application

Comments are disabled on this post

Comments are closed.

Hide picture