Send audit logs to Logstash with Filebeat from Centos/RHEL

Install Filebeat Add repositories https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html Install sudo yum install filebeat sudo systemctl enable filebeat Configure Filebeat sudo cp -av /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.default sudo vim /etc/filebeat/filebeat.yml filebeat.inputs: filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false output.logstash: hosts: ["LOGSTASHIP:5044"] processors: - add_host_metadata: ~ - add_cloud_metadata: ~ logging.to_syslog: false logging.to_files: true logging.files: path: "/var/log/filebeat" name: "filebeat.log" keepfiles: 7 sudo filebeat modules enable … Continue reading Send audit logs to Logstash with Filebeat from Centos/RHEL

Suricata logs to Logstash with Filebeat on pfSense 2.4

I'm using EVE JSON output. Enable EVE from Service - Suricata - Edit interface mappingEVE Output Settings EVE JSON Log [x] EVE Output Type: File Install Filebeat FreeBSD package https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ Find beats-x.x.x.txz curl -o beats-x.x.x.txz https://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/beats-x.x.x.txz pkg add beats-x.x.x.txz Download modules https://www.elastic.co/downloads/past-releases Download same version Filebeat LINUX 64-BIT curl -o filebeat-x.x.x-linux-x86_64.tar.gz https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-x.x.x-linux-x86_64.tar.gz curl -o filebeat-x.x.x-linux-x86_64.tar.gz.sha512 … Continue reading Suricata logs to Logstash with Filebeat on pfSense 2.4