I have several machines that use filebeats to send syslog messages to the SIEM. I'd like to send these logs to another external machine besides the local machine. How can I do this?
Hi,
Editing each /etc/filebeat/filebeat.yml
And enabling (or adding if it is not already there, commented) the new output.
Take a look at this to the supported outputs. https://www.elastic.co/guide/en/beats/filebeat/current/configuring-output.html
I currently have all Windows devices, network switches, etc..., sending logs to one Linux machine that Elastic Stack installed. What I'd like to do is forward all the logs collected in logstash to another external siem.
Hi,
So you just need to enable another output in your logstash.yml file and add the information for your "another external siem". Take a look at this to see the supported outputs:
https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html
If you cannot configure the individual devices to send to multiple logging endpoints, you could try using samplicator (if the syslogs are UDP): https://github.com/sleinen/samplicator
It's easy to set up and works well.
I'm very new to how this works so please excuse my confusion. In my /etc/logstash/conf.d/ folder I have the following files:
logstash-beats.conf
logstash-fwd-alarm.conf
logstash-output.conf
logstash-snmptrap.conf
logstash-syslog.conf
Which one of these files would I have to modify in order to forward all syslog messages and winlogbeat to two different IP addresses?
I would duplicate them at source. I don't know whether your second SIEM is elastic stack or something else, so I'm talking about duplicating raw logs.
Even if they are both elastic stack, it will be more resilient to log independently.
For winlogbeat you will need to copy the service and edit it to rename it so that two instances of winlogbeat will run. My understanding is that beats will select the first available endpoint from whatever list you configure rather than log to both. I'm not a Windows person so can't help you with that service config, but there's plenty help out there.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.