Hello,
Does anyone have any experience with shipping ipfire logs to logstash?
Hello,
Does anyone have any experience with shipping ipfire logs to logstash?
Hi,
we did that longer time ago with Filebeat --> https://github.com/elastic/beats/tree/master/filebeat#filebeat at that time with OSSEC --> https://forum.ipfire.org/viewtopic.php?f=4&t=4924&hilit=logstash&start=45#p110744 and a fast one with Softflowd --> https://forum.ipfire.org/viewtopic.php?f=50&t=19263&p=109986&hilit=logstash#p109986 .
At that time Go was not available in the IPFire dev environment which has been changed so there should also be a possibility to build it for IPFire but i haven´t checked that.
Best,
Erik
@ummeegge Thanks Erik,
Yes filebeat would be perfect, what would be the best way to get filebeat onto ipfire as I believe there is a restriction to import third party binaries? (no apt and can’t seem to unpackage a deb file) Is building from source the only way?
Hi Ian,
you are welcome. For testing purposes at that time we used the linux-64bit binary --> https://www.elastic.co/de/downloads/beats/filebeat but let me say as ever, do not use pre-compiled binaries from 3rd party . Another one might be to send syslog messages remotely to logstash --> https://support.halon.io/hc/en-us/articles/360000700065-Remote-syslog-to-Logstash <-- there is Rsyslog in usage which IPFire do not provides but it is may also possible with sysklogd --> https://wiki.ipfire.org/configuration/logs/logsettings but am not sure about this.
Can you believe what I am doing instead. I noticed ipfire has remote syslog sending baked in, so I am just dumping suricata logs into syslog and shipping them to rsyslog remotely (which then pipes it locally to logstash).
No need for me to install filebeat this way.
But a concern I have is currently these are sent unencrypted and unauthenticated. I would like to enable TLS to send the logs but it looks like ipfire does not have the options at least from the GUI. Do you know of a way I can enable the syslog sending over TLS?
sysklogd do not provides TLS nor TCP for sending logs to a remote machine. I would use a VPN for this.
Best,
Erik
Hmm that is unfortunate.
I think I might return to the original plan of using filebeat in that case. I think is cleaner than using VPN and I already have the PKI in place with certs and logstash authing certs etc.