Hello,
I’m new in the elastic community. I’d like to collect logs from a Check Point firewall, with Logstash.
I use Elasticsearch, Kibana and Logstash. The infrastructure is running, communications are working between Elasticsearch, Kibana and Logstash. I created a self-signed certification authority with Elasticsearch certutil tool, and create a Logstash certificate signed by this CA.
First, I tried to send logs from my firewall to Logstash, via UDP. It’s works as expected, and by that I mean that logs are sent in real time, by the firewall, and received in real time by Logstash.
But UDP is not secured enough, so I want to use TCP over TLS. For the Logstash configuration, I only put a TCP input and Rubydebug for the output (the configuration is at the end of the message).
To run the config and see the debug output, I use the following command :
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf
The debug mode starts, with no error and it listens on the port but there is no log in the console. After few minutes I stop it, because nothing is happening, when I send the shutdown signal with the command Ctrl+C, all the logs are coming, concentrated in only one message instead of one message per line.
During the test, I captured the trafic with Wireshark. I can see packets, regularly send by the firewall to the Logstash server. So, it doesn’t seem to be be a firewall problem.
I did two other tests, I start like the first one with the Logstash debug mode :
- From the firewall, I run the following openssl command :
openssl s_client -connect 192.168.0.1:55555 -showcerts
It opens a communication between the Firewall, and the Logstash server, and when I send a message, immediately I can see it in the Logstash console.
- On another server, I installed a second instance of Logstash (the configuration is at the end of the message). It has a client role, it takes lines in a file and send them to the Logstash server. Lines are received one by one, as expected.
I can't figured out if the problem comes from the Logstash configuration or from the firewall. I have no error from Logstash.
Does someone could help me please ?
Here some spécifications about configurations :
FW model : Check Point Spark Quantum 1570
Elasticsearch, Kibana and Logstash version : 8.15.0
Firewall configuration, where :
- name is the name of my firewall configuration
- host name is the domain name of the Logstash server, I checked that the firewall can reached it
- port the port where th eLogstash server is listening
- CA is the one used to signed Logstash certificate, so the firewall can trust it.
Logstash configuration to receive firewall logs :
- I force TLSv1.2 because the firewall doesn’t support TLSv1.3
- codec : I tried also « plain », but the behavior is the same.
input {
tcp {
port => 55555
mode => "server"
codec => line
ssl_enabled => true
ssl_certificate => "/path/to/logstash.crt"
ssl_key => "/path/to/logstash.key"
ssl_certificate_authorities => ["/path/to/ca.crt"]
ssl_client_authentication => "none"
ssl_supported_protocols => "TLSv1.2"
}
}
output{
stdout {
codec => rubydebug
}
}
Logstash configuration to send data :
input {
file {
path => "/path/to/test.txt"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
output{
stdout {
codec => rubydebug
}
tcp {
host => "192.168.0.1"
port => 55555
mode => "client"
ssl_enabled => true
ssl_certificate_authorities => ["/path/to/ca.crt"]
ssl_supported_protocols => "TLSv1.2"
}
}