Quite new to the elastic stack but lurking for a while in this community.
I got the task to set up log management based on the elastic stack.
Use case: External system (SAAS) sends logs (a variety of logs from a Linux machine, e.g. tomcat) via tcp to elastic. Our devs should be able to leverage elastic for analysis, alerts, etc.
My setup is using filebeat (with System module enabled) as syslog receiver, Elastic, Kibana
(After reading a lot of discussions, I believe Logstash is not necessary for the moment)
filebeat.inputs: - type: syslog format: auto enabled: true protocol.tcp: host: "localhost:514" filebeat.config.modules: path: /etc/filebeat/modules.d/*.yml reload.enabled: false setup.template.settings: index.number_of_shards: 1 setup.kibana: host: "localhost:5601" output.elasticsearch: hosts: ["localhost:9200"] protocol: "https" ssl.verification_mode: none # Authentication credentials - either API key or username/password. api_key: "someapikey"
The vendor only communicates via TLS, so I assume to configure SSL in filebeat.input to the following:
filebeat.inputs: - type: syslog format: auto enabled: true protocol.tcp: host: "localhost:514" ssl.enabled: true ssl.certificate: "/home/user/server.pem" ssl.key: "/home/user/server.key" ssl.verification_mode: "none" ssl.certificate_authority: "/home/user/ca.pem"
- Is this change enough, so traffic between SAAS and our syslog receiver is using TLS?
- Is the input type "syslog" the right choice? (I am not sure I understand the difference between input type "Systlog" and "TYP" correctly.
Thank you for your help, highly appreciated!