Filebeat harvest logs from encyrpted file

Hello people,

how would one go about collecting logs from an encrypted log file that has to be first decrypted

I have some /var/log/my_encrypted_log.log
to read this I have to pipe the contents to an binary that decrypts them
eg.
$ cat /var/log/my_encrypted_log.log | my_decryption_binary | less
this will show the logs in clear text format

I don't want to save all my decrypted logs in a different file since it will grow quite big and I am disk space limited.
I was thinking of sending/tailing it to an TCP/UDP/http stream but would like to do that directly via Agent, if possible. Is there a way to run arbitrary(but pre-defined) binaries?

Anyone encountered this scenario? Ideas?

None of the beats or the agent support this. You'd have to decrypt separately and then send to log file or directly to agent via tcp/udp...

Hi Alex,

on our former Agent/Sidecar we've had a whitelist feature to allow other binaries to be run. We require something similar.
There is a new ER(internal reference number is 16281)

e.g. of the former feature where we needed to whitelist the binary directly on the host where the Agent was running

Basically it's like allowing the osquery(integration) or sysmon binaries but in this case we need a custom one.
Ideally we should be able to verify the CRC or sha512 signature that binary from Fleet

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.