Logstash vs Filebeat Output Logs

rickyrome86 · March 7, 2018, 2:52pm

What is the best method to send logs to another environment? We are currently sending logs internally via log-stash to our elastic search, but would like to send the logs to another environment managed by a 3rd party. I had the below setup in our test environment (logstash config file), but it seems to not be consistent in what i can see in elastic search in both consoles. Can we send the logs directly from file-beat instead? If so what is the configuration look like? I cant seem to find anything supporting this.

}
output {
if [type] == "output" {
elasticsearch {
hosts => ["10.204.0.203:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}

elasticsearch {
  hosts => ["192.168.2.227:9200"]
  index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}

}
}

tag_v · March 7, 2018, 6:51pm

whats other environment here? does that mean elasticsearch at 3rd party network? If thats the scenario yes we can simply mentioning hostname:portnumber where es is running and mention certs if any.

If you dont have requirement of parsing logs, ya you can directly push logs from filebeat to elasticsearch. enable output.elasticsearch in filebeat with respective "[hostname:portnumber]".

rickyrome86 · March 7, 2018, 7:12pm

Yes the 3rd party is running Elasticsearch. I have the below configuration but no logs are showing up. Does that look correct?

Wazuh - Logstash configuration file

Remote Wazuh Manager - Filebeat input

input {
beats {
port => 5000
codec => "json_lines"

ssl => true

ssl_certificate => "/etc/logstash/logstash.crt"

ssl_key => "/etc/logstash/logstash.key"

}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "continent_code", "country_code2", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type","@src_ip"]
}
}
output {
if [type] == "output" {
elasticsearch {
hosts => ["http://10.204.0.203:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}

elasticsearch {
  hosts => ["http://192.168.7.227:9200"]
  index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
}

}
}

We also may want to directly output to the 3rd party from filebeat, below is the configuration. Simply add like this? hosts: ["logstash:5000", "logstash2:5000"]

filebeat:
prospectors:

input_type: log
paths:
- "/var/ossec/data/logs/alerts/alerts.json"
  document_type: wazuh-alerts
  json.message_key: log
  json.keys_under_root: true
  json.overwrite_keys: true

output:
logstash:

The Logstash hosts

hosts: ["logstash:5000"]

ssl:

certificate_authorities: ["/etc/filebeat/logstash.crt"]

system · April 4, 2018, 7:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to send data via Logstash Logstash	11	1019	December 28, 2021
Filebeat to send logs to Logstash and ES Elasticsearch	7	1491	October 22, 2019
Query on Logstash to Elasticsearch and third party Beats filebeat	4	295	March 21, 2023
Can't recieve filebeat logs via Logstash Logstash	16	2948	May 31, 2019
Sending logs to external SIEM via syslog using filebeat Beats filebeat	3	5117	August 10, 2020