How injest darktrace SysLog Json to FIlebeat / Elasticseach

Hello team,

I'm new on ELK Stack System, so i want to apologize if my questions will be stupid.

I have installed succeffully the ELK stack system on a my server, and i have installed the agents on all my server. All is working fine.

Now i have to receive into Elastick the alerts generated from Darktrace, so i have set the IP (of the manager) and the Port (where filebeat is listen) and have set to sent the alerts as Syslog Json.

So i have opened and config the Filebeat.yml setting:

filebeat.inputs:
  - type: syslog
    format: auto
    protocol.0.tcp:
    host: ["172.18.17.8:514"]

Saved and restarted filebeat.service. Running

Filebeat -e 

I got no error.
So i tried to sent a "sample alert" from darktrace (that have confirmed the succfully sent and the firewall have confirmed it too) but i don't see it in the event into Elastic search dashboard, in /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/archive/archive.log

By the way, ONLY for this alerts (darktrace alerts), i tried to configure a new index into filebeat.yml setting:

setup.ilm.enabled: false
setup.template.overwrite: true
output.elasticsearch:
  hosts: ["127.0.0.1:9200"]
  index: "darktrace-%{[agent.version]}-%{+yyyy.MM.dd}"
  username: "****"
  password: "**********"
setup.template:
  name: 'darktrace'
  pattern: 'darktrace-*'
  enabled: false

but i looking into Elastick > Stack Managment > Index , it isn't present.

Thanks in advance for your support.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.