Send log from rsyslog to ELK with X-PACK

Izana · June 12, 2017, 12:57pm

Hello,

After installing X-PACK (necessary for Watcher and securing access to Kibana), my linux logs do not go back to ELK.

Indeed, before the installation of X-PACK, I had the following configuration on my Debian client:

/etc/rsyslog.d/rsyslog.conf

*.* @192.168.1.1:5544

This is the configuration on my ELK :
/etc/logstash/conf.d/logstash_lmpm_linux.conf

input {
  syslog {
    port => "5544"
    type => "rsyslog"
  }
}

filter { }

output {
  if [type] == "rsyslog" {
    elasticsearch {
      hosts => [ "192.168.1.1:9200" ]
      index => "winlogbeat-%{+YYYY.MM.dd}"
    }
  }
}

Since installing X-PACK, I had to modify the winlogbeat.yml file on my client machines in order to add the elastic account and its password. I guess you have to do the same for a Linux. How can I do this?

Thank you for your answers.

Julien · June 16, 2017, 8:49am

Hi Alison,

You are correct in saying that once elasticsearch requires authentication, you will have to pass it when writing from logstash.
Please follow the steps documented here to create a user and assign it a role with sufficient permissions and use it in the output section (or use an existing user with enough permissions):
https://www.elastic.co/guide/en/x-pack/current/logstash.html

Also for informations on security, I would recommend this course which will cover roles, user creation and also securing elasticsearch : https://www.elastic.co/training/x-pack-security
Thanks
Julien

system · July 14, 2017, 8:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.