Shipping logs to logstash

knightian · 22 December 2020 04:44

Hello,

Does anyone have any experience with shipping ipfire logs to logstash?

ummeegge · 22 December 2020 07:56

Hi,
we did that longer time ago with Filebeat --> https://github.com/elastic/beats/tree/master/filebeat#filebeat at that time with OSSEC --> https://forum.ipfire.org/viewtopic.php?f=4&t=4924&hilit=logstash&start=45#p110744 and a fast one with Softflowd --> https://forum.ipfire.org/viewtopic.php?f=50&t=19263&p=109986&hilit=logstash#p109986 .
At that time Go was not available in the IPFire dev environment which has been changed so there should also be a possibility to build it for IPFire but i haven´t checked that.

Best,

Erik

knightian · 22 December 2020 08:00

@ummeegge Thanks Erik,

Yes filebeat would be perfect, what would be the best way to get filebeat onto ipfire as I believe there is a restriction to import third party binaries? (no apt and can’t seem to unpackage a deb file) Is building from source the only way?

ummeegge · 22 December 2020 08:21

Hi Ian,
you are welcome. For testing purposes at that time we used the linux-64bit binary --> https://www.elastic.co/de/downloads/beats/filebeat but let me say as ever, do not use pre-compiled binaries from 3rd party . Another one might be to send syslog messages remotely to logstash --> https://support.halon.io/hc/en-us/articles/360000700065-Remote-syslog-to-Logstash <-- there is Rsyslog in usage which IPFire do not provides but it is may also possible with sysklogd --> https://wiki.ipfire.org/configuration/logs/logsettings but am not sure about this.

knightian · 12 January 2021 23:40

Can you believe what I am doing instead. I noticed ipfire has remote syslog sending baked in, so I am just dumping suricata logs into syslog and shipping them to rsyslog remotely (which then pipes it locally to logstash).

No need for me to install filebeat this way.

But a concern I have is currently these are sent unencrypted and unauthenticated. I would like to enable TLS to send the logs but it looks like ipfire does not have the options at least from the GUI. Do you know of a way I can enable the syslog sending over TLS?

ummeegge · 13 January 2021 08:41

sysklogd do not provides TLS nor TCP for sending logs to a remote machine. I would use a VPN for this.

Best,

Erik

knightian · 13 January 2021 14:12

Hmm that is unfortunate.

I think I might return to the original plan of using filebeat in that case. I think is cleaner than using VPN and I already have the PKI in place with certs and logstash authing certs etc.