{"id":1961,"date":"2021-09-07T08:29:05","date_gmt":"2021-09-07T06:29:05","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1961"},"modified":"2021-09-07T08:29:05","modified_gmt":"2021-09-07T06:29:05","slug":"filebeat-per-host-remoto","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1961","title":{"rendered":"Filebeat per host remoto"},"content":{"rendered":"<p>L&#8217;agent sugli hosts remoti \u00e8 filebeat quindi anche su questi ultimi si dovr\u00e0 eseguire la procedura:<br \/>\nroot@sangiorgio:\/home\/guardian# wget -qO &#8211; https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | apt-key add &#8211;<br \/>\nOK<br \/>\nroot@sangiorgio:\/home\/guardian# apt install apt-transport-https<br \/>\nroot@sangiorgio:\/home\/guardian# echo &#8220;deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main&#8221; | tee \/etc\/apt\/sources.list.d\/elastic-7.x.list<br \/>\ndeb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main<br \/>\nroot@sangiorgio:\/home\/guardian# apt install filebeat<br \/>\nroot@sangiorgio:\/home\/guardian# update-rc.d filebeat defaults<\/p>\n<p>Il file \/etc\/filebeat\/filebeat.yml va modificato in questo modo:<br \/>\n# ============================== Filebeat inputs ===============================<br \/>\n&#8230;<br \/>\n&#8230;<br \/>\n&#8230;<\/p>\n<p># filestream is an input for collecting log messages from files. It is going to replace log input in the future.<br \/>\n&#8211; type: filestream<\/p>\n<p># Change to true to enable this input configuration.<br \/>\nenabled: true<\/p>\n<p># Paths that should be crawled and fetched. Glob based paths.<br \/>\npaths:<br \/>\n# &#8211; \/var\/log\/*.log<br \/>\n&#8211; \/var\/log\/syslog<br \/>\n&#8211; \/var\/log\/nftables.log<br \/>\n&#8211; \/var\/log\/suricata\/eve.json<br \/>\n#- c:\\programdata\\elasticsearch\\logs\\*<br \/>\n# =================================== Kibana ===================================<br \/>\n&#8230;<br \/>\n&#8230;<\/p>\n<p>setup.kibana:<\/p>\n<p># Kibana Host<br \/>\n# Scheme and port can be left out and will be set to the default (http and 5601)<br \/>\n# In case you specify and additional path, the scheme is required: http:\/\/localhost:5601\/path<br \/>\n# IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:5601<br \/>\nhost: &#8220;IP_di_ardito:5601&#8221;<\/p>\n<p># &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;- Elasticsearch Output &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>\n#output.elasticsearch:<br \/>\n# Array of hosts to connect to.<br \/>\n# hosts: [&#8220;localhost:9200&#8221;]<\/p>\n<p># &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212; Logstash Output &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<br \/>\noutput.logstash:<br \/>\n# The Logstash hosts<br \/>\nhosts: [&#8220;IP_di_ardito:5044&#8221;]<\/p>\n<p>Dopo di che filebeat modules enable suricata\u00a0 system<br \/>\nEnabled system<br \/>\nEnabled suricata<br \/>\n\/etc\/init.d\/filebeat start<br \/>\nun rapido controllo con filebeat test config che restituisce:<br \/>\nConfig OK<br \/>\ne filebeat test output che restituisce<br \/>\nlogstash: IP_di_ardito:5044&#8230;<br \/>\nconnection&#8230;<br \/>\nparse host&#8230; OK<br \/>\ndns lookup&#8230; OK<br \/>\naddresses: IP_di _ardito<br \/>\ndial up&#8230; OK<br \/>\nTLS&#8230; WARN secure connection disabled<br \/>\ntalk to server&#8230; OK<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>L&#8217;agent sugli hosts remoti \u00e8 filebeat quindi anche su questi ultimi si dovr\u00e0 eseguire la procedura: root@sangiorgio:\/home\/guardian# wget -qO &#8211; https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch | apt-key add &#8211; OK root@sangiorgio:\/home\/guardian# apt install apt-transport-https root@sangiorgio:\/home\/guardian# echo &#8220;deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main&#8221; | tee \/etc\/apt\/sources.list.d\/elastic-7.x.list deb https:\/\/artifacts.elastic.co\/packages\/7.x\/apt stable main root@sangiorgio:\/home\/guardian# apt install filebeat root@sangiorgio:\/home\/guardian# update-rc.d filebeat defaults Il file \/etc\/filebeat\/filebeat.yml va [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,14,204],"tags":[136,213,214,55],"class_list":["post-1961","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-web-application","tag-devuan","tag-elk","tag-logging","tag-monitoring"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1961","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1961"}],"version-history":[{"count":2,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1961\/revisions"}],"predecessor-version":[{"id":1963,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1961\/revisions\/1963"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1961"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1961"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1961"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}