Shipping logs to logstash


Does anyone have any experience with shipping ipfire logs to logstash?

we did that longer time ago with Filebeat --> at that time with OSSEC --> and a fast one with Softflowd --> .
At that time Go was not available in the IPFire dev environment which has been changed so there should also be a possibility to build it for IPFire but i haven´t checked that.



@ummeegge Thanks Erik,

Yes filebeat would be perfect, what would be the best way to get filebeat onto ipfire as I believe there is a restriction to import third party binaries? (no apt and can’t seem to unpackage a deb file) Is building from source the only way?

Hi Ian,
you are welcome. For testing purposes at that time we used the linux-64bit binary --> but let me say as ever, do not use pre-compiled binaries from 3rd party :wink: . Another one might be to send syslog messages remotely to logstash --> <-- there is Rsyslog in usage which IPFire do not provides but it is may also possible with sysklogd --> but am not sure about this.

1 Like

Can you believe what I am doing instead. I noticed ipfire has remote syslog sending baked in, so I am just dumping suricata logs into syslog and shipping them to rsyslog remotely (which then pipes it locally to logstash).

No need for me to install filebeat this way.

But a concern I have is currently these are sent unencrypted and unauthenticated. I would like to enable TLS to send the logs but it looks like ipfire does not have the options at least from the GUI. Do you know of a way I can enable the syslog sending over TLS?

sysklogd do not provides TLS nor TCP for sending logs to a remote machine. I would use a VPN for this.



Hmm that is unfortunate.

I think I might return to the original plan of using filebeat in that case. I think is cleaner than using VPN and I already have the PKI in place with certs and logstash authing certs etc.