Sending logs to SIEMonster any platform

mdavis00 · January 13, 2017, 10:33pm

I cannot seem to get beats to send logs data from Windows, Linux or Mac. Has anyone used beats to get logs to SIEMonster?
P.S. I'm new to beats and elastic as on a few days ago, sorry for my ignorance.

steffens · January 16, 2017, 2:18pm

I have no idea about SIEMonster. It seems to use elasticsearch. In case SIEMonster if exposing an elasticsearch endpoint you can directly configure the elasticsearch output in filebeat.

You have any logs and configuration files to share with us?

mdavis00 · January 17, 2017, 2:44pm

Sure thing, below is the .yml file portion for shipping to elasticsearch:
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

hosts: [":9200"]
template:
path: "//filebeat-5.1.2-darwin-x86_64/filebeat.template.json"
template.overwrite: true

The default config only had the host address as a required field. I added the template portion from the full.yml thinking it may help but I'm not sure if that made a difference.

ruflin · January 18, 2017, 12:31pm

Can you share some log files from filebeat?

mdavis00 · January 18, 2017, 3:12pm

Absolutely. This is from logs/filebeat

2017-01-13T13:00:45-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:00:45-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...
2017-01-13T13:01:00-06:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.closed=4 publish.events=4 filebeat.harvester.open_files=-4 filebeat.harvester.running=-4 registrar.states.update=4
2017-01-13T13:01:25-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:01:25-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...
2017-01-13T13:01:30-06:00 INFO Non-zero metrics in the last 30s: libbeat.publisher.published_events=1 registrar.states.update=1 publish.events=1
2017-01-13T13:02:00-06:00 INFO No non-zero metrics in the last 30s
2017-01-13T13:02:30-06:00 INFO No non-zero metrics in the last 30s
2017-01-13T13:03:00-06:00 INFO No non-zero metrics in the last 30s
2017-01-13T13:03:20-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:03:20-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...
2017-01-13T13:03:30-06:00 INFO Non-zero metrics in the last 30s: publish.events=2 libbeat.publisher.published_events=2 registrar.states.update=2
2017-01-13T13:03:35-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:03:35-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...
2017-01-13T13:04:00-06:00 INFO Non-zero metrics in the last 30s: publish.events=1 registrar.states.update=1 libbeat.publisher.published_events=1
2017-01-13T13:04:10-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:04:10-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...
2017-01-13T13:04:30-06:00 INFO Non-zero metrics in the last 30s: publish.events=1 libbeat.publisher.published_events=1 registrar.states.update=1
2017-01-13T13:04:30-06:00 INFO Harvester started for file: /var/log/jamf.log
2017-01-13T13:04:30-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:04:30-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...
2017-01-13T13:04:35-06:00 ERR Failed to create tempfile (/matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new) for writing: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied
2017-01-13T13:04:35-06:00 ERR Writing of registry returned error: open /matt/software/filebeat-5.1.2-darwin-x86_64/data/registry.new: permission denied. Continuing...

mdavis00 · January 18, 2017, 3:14pm

I looked at the permissions on the directory it is trying to access here and I chmod 666 on it to see if that helps and it changes itself back to 644 and I can't tell why.

ruflin · January 23, 2017, 10:37am

Filebeat should not change any access rights? Could it be any security tool on your machine? Or does it only change when you start filebeat?

system · February 20, 2017, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.