I am new in Elastic, and I want to send the logs of our firewalls CheckPoint to logstash. I configurate the log exporter in CheckPoint, however we dont know how received and configurate this information in logstash.
I need create one file in logstash with input and filters? Anyone have done it?
Not done it yet myself, but try the CheckPoint module in Filebeat.
You could, on your logstash server, run filebeat, with the checkpoint module enabled, listening on some port. You configure checkpoint to send logs to that port. Configure filebeat to read them in and then output to logstash.
Using this module benefits you because it comes with all the parsers to parse the chkp logs to the proper ecs fields, so you dont have to write filters in logstash to do that.
I read the documentation, and I download filebeat 7.8 in my logstash server, this have CheckPoint module. I enabled it, and this have this configuration
I have a question, the var.syslog_host is the IP from CheckPoint firewall? And I need configure the output for send the elasticsearch or if I use this module I should be able of view from filebeat index pattern?
No, var.syslog_host is the interface on the logstash server to listen on. 0.0.0.0 means listen on all interfaces. Otherwise, you could just put in the IP of the logstash server itself, not the CHKP.
So on your CHKP, you configure it to send logs to UDP 9001 of the logstash/filebeat server IP.
Have you read https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-module-checkpoint.html?
OK. I understand, I could put the IP of my server, as I trying because if the firts time with Elastic I have a deployment of Kibana, elasticsearch and logstash in the same server. IN CP is ok the configuration.
You would know if you have an error in your config if you view the /var/log/filebeat/filebeat file and maybe /var/log/syslog. Restart filebeat and watch those files for any messages.
Also:
Confirm you see logs coming in (tcpdump udp port 514).
Confirm you are connected to elasticsearch (netstat -an | grep 9200)
Thank for your help. I can review and I found one error. I reviewed tcpdump in elastic server and I getting traffic from port 514, I can see this in overview for index pattern filebeat-*. My question is Should I see this en section SIEM tab network? Or not?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.