Beats' output, logstash or elasticsearh

gray380 · May 7, 2019, 6:35am

Hi there,

What is the best or recommended way to collect "auth" data within Beats, directly send it to elasticsearch or via logstash?
For now beats are configured to use "output.logstash" and module "system" is enabled.

So I can find the "authentication failure" with non-parsed message at kibana's "Discover":

agent.type 	filebeat
agent.version 	7.0.1
ecs.version 	1.0.0
event.dataset 	system.auth
event.module 	system
fileset.name 	auth
suricata.eve.timestamp ... <--- BTW WTF?

Also "Syslog" section of "[Filebeat System] SSH login attempts ECS" dashboard contains data, but "Sudo commands" and "SSH logins" are pretty empty.

Could you help with findings.

Michal_Pristas · May 7, 2019, 11:42am

whether or not use Logstash depends mostly on your use case. if you want to do some advanced parsing or transformation I recommend using Logstash.
If these transformations are simple enough for beat to handle it you can output to ES directly

gray380 · May 7, 2019, 11:53am

Thanks, I understand the concept but seems that there is some issues with embedded kibana's dashboard after "logstashing" the beat's outputs.

gray380 · May 7, 2019, 1:38pm

Okay, Kibana's default Visualize uses "event.action" to count ssh login attempts but in my case it should be "system.auth.ssh.event".
For some reason I can not modify the default Visualize templates.
Suppose it's okay to close this topic.

system · June 4, 2019, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.