Beats' output, logstash or elasticsearh

Elastic Stack Beats
1

Hi there,

What is the best or recommended way to collect "auth" data within Beats, directly send it to elasticsearch or via logstash?
For now beats are configured to use "output.logstash" and module "system" is enabled.

So I can find the "authentication failure" with non-parsed message at kibana's "Discover":

agent.type 	filebeat
agent.version 	7.0.1
ecs.version 	1.0.0
event.dataset 	system.auth
event.module 	system
fileset.name 	auth
suricata.eve.timestamp ... <--- BTW WTF?

Also "Syslog" section of "[Filebeat System] SSH login attempts ECS" dashboard contains data, but "Sudo commands" and "SSH logins" are pretty empty.

Could you help with findings.

2

whether or not use Logstash depends mostly on your use case. if you want to do some advanced parsing or transformation I recommend using Logstash.
If these transformations are simple enough for beat to handle it you can output to ES directly

3

Thanks, I understand the concept but seems that there is some issues with embedded kibana's dashboard after "logstashing" the beat's outputs.

4

Okay, Kibana's default Visualize uses "event.action" to count ssh login attempts but in my case it should be "system.auth.ssh.event".
For some reason I can not modify the default Visualize templates.
Suppose it's okay to close this topic.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.