Collecting from Beats or Logstash¶
Supported Beats¶
TeskaLabs LogMan.io supports collecting logs from a wide range of Elastic Beats, which are lightweight data shippers for various log sources and platforms. The most commonly used Beats include:
- Winlogbeat: Collects Windows Event, including Application, System, Security, and many other channels. Useful for monitoring Windows servers and workstations.
- Filebeat: Collects and ships log from files. Common use cases include:
- Microsoft DHCP: Collects DHCP server logs from Windows servers.
- Microsoft DNS: Collects DNS debug logs from Windows DNS servers.
- Microsoft IIS: Collects web server logs from Microsoft IIS.
- Custom application logs: Collects logs from any application or service that writes to a file.
- Auditbeat: Collects audit logs from Linux systems, such as file integrity monitoring and user activity.
- Other Beats: Any other community or official Beats (e.g., Metricbeat, Packetbeat) can also be integrated.
Beats send their data to the LogMan.io Collector using the Lumberjack protocol (the same protocol used by Logstash). This allows for secure and reliable log shipping from a variety of sources and platforms.
Configuration of TeskaLabs LogMan.io¶
The basic configuration snippet of the collector:
input:Lumberjack:logstash:
output: ...
logstash
is an input identified and can be replaced by anything unique within the configuration file
address
specifies an network interface and/or a port that will be used for listening.
The default value is '5044', to listen on tcp/5044
.
Optional smart
attribute can be used to specify a smart map, when connected to the output:CommLink
.
Tip
The protocol used for this extraction is called Lumberjack and by default runs on tcp/5044
with optional SSL.
Log source classes input:Lumberjack:
, input:Logstash:
and input:Beats:
are actually synonyms.
SSL configuration¶
The incoming SSL is detected automatically.
The following configuration options specify the SSL connection:
cert
: Path to the client SSL certificatekey
: Path to the private key of the client SSL certificatepassword
: Private key file password (optional, default: none)cafile
: Path to a PEM file with CA certificate(s) to verify the SSL server (optional, default: none)capath
: Path to a directory with CA certificate(s) to verify the SSL server (optional, default: none)cadata
: one or more PEM-encoded CA certificates to verify the SSL server (optional, default: none)ciphers
: SSL ciphers (optional, default: none)dh_params
: Diffie–Hellman (D-H) key exchange (TLS) parameters (optional, default: none)verify_mode
: One of CERT_NONE, CERT_OPTIONAL or CERT_REQUIRED (optional); for more information, see: github.com/TeskaLabs/asab
Example Configuration of Beats¶
This log source can be used to collect logs using Beats family of tools. Beats are lightweight data shippers from Elastic.
Configuration snippet:
output.logstash:
hosts: ["<collector>:5044"]
Winlogbeat¶
output.logstash:
hosts: ["<collector>:5044"]
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
ignore_older: 72h
- name: Security
ignore_older: 72h
- name: Setup
ignore_older: 72h
- name: Microsoft-Windows-Sysmon/Operational
ignore_older: 72h
- name: Microsoft-Windows-Windows Defender/Operational
ignore_older: 72h
- name: Microsoft-Windows-GroupPolicy/Operational
ignore_older: 72h
- name: Microsoft-Windows-TaskScheduler/Operational
ignore_older: 72h
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
ignore_older: 72h
- name: Windows PowerShell
event_id: 400, 403, 600, 800
ignore_older: 72h
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
ignore_older: 72h
- name: ForwardedEvents
tags: [forwarded]
logging.to_files: true
logging.files:
rotateeverybytes: 10485760 # = 10MB
keepfiles: 7
Security logs¶
Make sure the user, under which the Winlogbeat
service runs, has a permission to access Security
logs.
To do so, the user has to be part of the Event Log Readers group.
Step-by-Step (via lusrmgr.msc
)¶
-
Open the Run dialog:
-
Press
Win + R
on your keyboard. -
Type
lusrmgr.msc
and pressEnter
. -
Navigate to Groups:
-
In the left pane, click on
Groups
. -
Find and open the group:
-
In the right pane, double-click on Event Log Readers.
-
Add a new member:
-
In the window that appears, click on the Add... button.
-
Select the user or service:
-
In the Enter the object names to select field, type the name of the user or service account you want to add.
- For a service account like Winlogbeat, you might use:
* For a regular local user, simply type the username (e.g.NT SERVICE\Winlogbeat
winlogbeat_user
). -
Check and confirm:
-
Click Check Names to validate the input.
-
Click OK to confirm.
-
Apply and close:
-
Click Apply and then OK to close all windows.
-
Restart the Winlogbeat service:
-
Open PowerShell or Command Prompt as administrator.
-
Run:
Restart-Service winlogbeat
Filebeat¶
output.logstash:
hosts: ["<collector>:5044"]
filebeat.inputs:
- type: filestream
fields:
stream: <stream name>
paths:
- /path/to/the/file.log
Tip
<stream name>
is for example my-app-log
.
You don't need to include tenant or any other prefix.
Microsoft DHCP¶
output.logstash:
hosts: ["<collector>:5044"]
filebeat.inputs:
# Microsoft DHCP IPv4
- type: filestream
id: microsoft-dhcp-ipv4
fields:
stream: microsoft-dhcp-filebeat-v1
prospector.scanner.fingerprint:
enabled: true
offset: 1780
length: 64
file_identity.fingerprint: ~
paths:
- C:\Windows\System32\DHCP\DhcpSrvLog-*.log
include_lines:
- "^[0-9]+,"
# Microsoft DHCP IPv6
- type: filestream
id: microsoft-dhcp-ipv6
fields:
stream: microsoft-dhcp-filebeat-v1
prospector.scanner.fingerprint:
enabled: true
offset: 1238
length: 64
file_identity.fingerprint: ~
paths:
- C:\Windows\System32\DHCP\DhcpV6SrvLog-*.log
include_lines:
- "^[0-9]+,"
Microsoft DNS¶
output.logstash:
hosts: ["<collector>:5044"]
filebeat.inputs:
# Microsoft DNS Debug Log
- type: filestream
id: microsoft-dns
fields:
stream: microsoft-dns-filebeat-v1
prospector.scanner.fingerprint:
enabled: true
offset: 1052
length: 64
file_identity.fingerprint: ~
paths:
- C:\Windows\System32\dns\debug.log
include_lines:
- "^[0-9]+[/-:][0-9]+"
Microsoft IIS¶
output.logstash:
hosts: ["<collector>:5044"]
filebeat.inputs:
# Microsoft IIS log
- type: filestream
id: microsoft-iis
fields:
stream: microsoft-iis-filebeat-v1
prospector.scanner.fingerprint:
enabled: true
offset: 1052
length: 64
file_identity.fingerprint: ~
paths:
- C:\inetpub\logs\LogFiles\W3SVC*\*.log