Hallo community,
Quite new to the elastic stack but lurking for a while in this community.
I got the task to set up log management based on the elastic stack.
Use case: External system (SAAS) sends logs (a variety of logs from a Linux machine, e.g. tomcat) via tcp to elastic. Our devs should be able to leverage elastic for analysis, alerts, etc.
My setup is using filebeat (with System module enabled) as syslog receiver, Elastic, Kibana
(After reading a lot of discussions, I believe Logstash is not necessary for the moment)
filebeat.yml
filebeat.inputs:
- type: syslog
format: auto
enabled: true
protocol.tcp:
host: "localhost:514"
filebeat.config.modules:
path: /etc/filebeat/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "localhost:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
protocol: "https"
ssl.verification_mode: none
# Authentication credentials - either API key or username/password.
api_key: "someapikey"
The vendor only communicates via TLS, so I assume to configure SSL in filebeat.input to the following:
filebeat.inputs:
- type: syslog
format: auto
enabled: true
protocol.tcp:
host: "localhost:514"
ssl.enabled: true
ssl.certificate: "/home/user/server.pem"
ssl.key: "/home/user/server.key"
ssl.verification_mode: "none"
ssl.certificate_authority: "/home/user/ca.pem"
My questions:
- Is this change enough, so traffic between SAAS and our syslog receiver is using TLS?
- Is the input type "syslog" the right choice? (I am not sure I understand the difference between input type "Systlog" and "TYP" correctly.
Thank you for your help, highly appreciated!
Dan