Elasticsearch + Filebeat + CrowdStrike

spinoz4 · August 5, 2020, 1:06am

Hi folks.

I did install the following scenario:

Elasticsearh + Kibana + Filebeat + Crowdstrike Falcon's SIEM conector + Single CID it work flawless however in the multiple CIDs scenario, which involves multiple log files, the events (JSON) are not consumed by the Filebeat's CrowdStrike module.

Does anyone know if it is a limitation of the module?

Here is my module configuration and console output when restarting the filebeat service:

# Module: crowdstrike
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.8/filebeat-module-crowdstrike.html

- module: crowdstrike

  falcon:
    enabled: true

# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/crowdstrike/falconhoseclient/falcon*"]

Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.987-0500#011INFO#011[crawler]#011beater/crawler.go:108#011Loading and starting Inputs completed. Enabled inputs: 0
Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.987-0500#011INFO#011cfgfile/reload.go:164#011Config reloader started
Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.990-0500#011INFO#011log/input.go:152#011Configured paths: [/var/log/crowdstrike/falconhoseclient/falcon*]
Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.990-0500#011INFO#011eslegclient/connection.go:99#011elasticsearch url: http://IP:9200
Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.993-0500#011INFO#011[esclientleg]#011eslegclient/connection.go:314#011Attempting to connect to Elasticsearch version 7.8.1
Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.993-0500#011INFO#011cfgfile/reload.go:224#011Loading of config files completed.
Aug  4 20:00:47 hostname filebeat[12267]: 2020-08-04T20:00:47.994-0500#011INFO#011log/harvester.go:297#011Harvester started for file: /var/log/crowdstrike/falconhoseclient/falcon_1.log
Aug  4 20:00:48 hostname filebeat[12267]: 2020-08-04T20:00:48.026-0500#011INFO#011log/harvester.go:297#011Harvester started for file: /var/log/crowdstrike/falconhoseclient/falcon_2.log
Aug  4 20:00:48 hostname filebeat[12267]: 2020-08-04T20:00:48.047-0500#011INFO#011log/harvester.go:297#011Harvester started for file: /var/log/crowdstrike/falconhoseclient/falcon_3.log
Aug  4 20:00:50 hostname filebeat[12267]: 2020-08-04T20:00:50.979-0500#011INFO#011[add_cloud_metadata]#011add_cloud_metadata/add_cloud_metadata.go:89#011add_cloud_metadata: hosting provider type not detected.

Thank you,

S.

system · September 2, 2020, 3:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.