Installing and Configuring Logstash to Ingest Fortinet Syslogs

Ali Younes

10 Jun 202224:54

Summary

TLDRThis tutorial video guides viewers through the process of installing and configuring Logstash to send syslogs from a Fortigate firewall to Elasticsearch. The presenter, building on a previous video, demonstrates setting up the Logstash input, filter, and output plugins, including parsing and enriching data. The video also covers troubleshooting steps, such as adjusting firewall settings and ensuring correct permissions for certificates, to ensure a smooth data flow into Elasticsearch for indexing and visualization in Kibana.

Takeaways

😀 The video is a tutorial on installing and configuring Logstash to send syslogs from a firewall to Elasticsearch.
🔧 Part two of a previous video series, where Elasticsearch and Kibana were installed and configured to work together.
💻 The presenter uses Oracle Linux and installs Java 11 or 17 as a prerequisite for Logstash, using the command `yum install java-1.8.0-openjdk`.
📝 Logstash is introduced as an open-source data collection engine that can enrich data, like adding geo-locations.
📑 The presenter guides through the process of setting up Logstash using a `yum` repository and a public signing key.
🔌 The video demonstrates configuring the firewall to send syslogs to Logstash, specifying the IP address and port 5144.
📡 The Logstash configuration file is detailed, explaining the input, filter, and output plugins necessary for processing the syslog data.
📚 The use of the 'grok' filter is highlighted for parsing syslog messages into structured data.
🛠 The 'mutate' filter is used to clean up the log data by removing unnecessary fields like the original syslog priority value.
🗓️ The 'kv' filter is introduced to parse key-value pairs from the log messages, and a 'date' filter is used to convert log timestamps into a usable format for Elasticsearch.
🔒 The video concludes with securing data transmission to Elasticsearch using SSL, including copying the CA certificate and setting appropriate file permissions.
📊 Finally, the presenter shows how to view the ingested data in Kibana and mentions future plans to create dashboards for data visualization.

Q & A

What is the purpose of the video?
-The purpose of the video is to demonstrate the installation and configuration of Logstash to send syslogs from a firewall to Elasticsearch, which is a continuation of a previous video where Elasticsearch and Kibana were installed and configured.
What are the prerequisites for installing Logstash as mentioned in the video?
-The prerequisites for installing Logstash include having Java installed, specifically JDK 11 or JDK 17, and the video uses JDK 17.
How does the video demonstrate the installation of Logstash?
-The video demonstrates the installation of Logstash by using the yum repository, downloading the public signing key, creating a repository file, and then executing the 'yum install logstash' command.
What is the default port used for syslog in the video?
-The default port used for syslog in the video is 5144.
How does the video handle the firewall configuration for sending syslogs?
-The video shows how to log in to the firewall, configure syslog settings, enable the syslog server, set the IP address of the syslog server to the Logstash server, and specify the port to 5144.
What are the three main components of Logstash configuration files?
-The three main components of Logstash configuration files are the input plugin, filter plugin, and output plugin.
What is the purpose of the 'grok' filter plugin used in the video?
-The 'grok' filter plugin is used to parse arbitrary text and structure it, allowing the user to define patterns for extracting data from logs.
How does the video address the issue of viewing the data before applying filters?
-The video suggests sending the output to the console (stdout) initially to view the data before applying any filters for further processing.
What is the significance of setting the correct permissions for the certificate in the video?
-Setting the correct permissions for the certificate is crucial for the Logstash service to run without issues, as it ensures that the service can access and use the certificate for secure communication with Elasticsearch.
How does the video demonstrate troubleshooting steps for Logstash?
-The video demonstrates troubleshooting by showing the process of giving the correct permissions to the certificate file, changing the file owner to 'logstash', and then successfully restarting the Logstash service.
What is the final step shown in the video for confirming that data is being sent to Elasticsearch?
-The final step shown in the video is logging into Kibana, navigating to the 'Discover' section, and confirming that the data from the firewall is being displayed in real-time.

Outlines

00:00

🔧 Setting Up Logstash for Firewall Syslogs

The video begins with an introduction to the task of installing Logstash and configuring it to receive syslogs from a firewall and send them to Elasticsearch. This is a continuation of a previous tutorial where Elasticsearch and Kibana were set up. The speaker provides a brief overview of their setup and mentions the need for Java 11 or 17 for Logstash. They demonstrate the installation process using the YUM repository and public signing key, and proceed to configure the firewall to send syslogs to the Logstash server on port 5144. The video also covers the basic components of a Logstash configuration file, which includes input, filter, and output plugins.

05:02

📡 Configuring Logstash Input and Testing with Stdout

In this section, the speaker delves into configuring the Logstash input plugin, specifically using the UDP input plugin to receive syslog messages from the firewall. They explain the importance of setting the correct host and port, and then proceed to test the setup by directing the output to the standard output (stdout) for initial parsing. The speaker also discusses the necessity of opening the specified port in the firewall settings and demonstrates how to start Logstash with the specified configuration file. The video shows the raw syslog messages being received, setting the stage for further filtering and processing.

10:03

🌐 Filtering and Parsing Firewall Logs with Logstash

The speaker continues by adding filters to the Logstash configuration. They start with the grok filter to parse the syslog message into a structured format, using a specific pattern to extract the syslog priority and message. The video illustrates how to use the grok debugger and apply the filter to the incoming logs. Subsequently, the mutate filter is introduced to clean up the log data by removing unnecessary fields. The speaker also explains how to use the kv filter to split the log message into individual fields and the subsequent steps to refine the log data further, including removing the original message and adding a new 'log date' field for better timestamp management.

15:03

⏰ Timestamp Conversion and Finalizing Logstash Filters

This part of the video focuses on converting the 'log date' field into a proper timestamp format that Elasticsearch can use. The speaker describes the process of using the date filter plugin to parse the date and time into a structured format. They also discuss the importance of removing redundant fields like 'log date', 'date', and 'time' once the timestamp has been created. Additionally, the speaker converts the 'received bytes' and 'send bytes' fields to integer types to facilitate mathematical operations in Elasticsearch. The video concludes this section by showing a cleaner log data structure ready for output to Elasticsearch.

20:06

🔗 Sending Parsed Logs to Elasticsearch and Verifying with Kibana

The final segment of the video script covers configuring the Logstash output plugin to send the parsed log data to Elasticsearch. The speaker details the necessary Elasticsearch output plugin settings, including specifying the hosts, index name, user authentication, and enabling SSL with a CA certificate. They demonstrate how to copy the certificate from the Elasticsearch node and set the appropriate file permissions for Logstash to access it. After making these configurations, the speaker shows how to start Logstash as a service and verify that the logs are being ingested into Elasticsearch using Kibana. They also troubleshoot a permissions issue with the certificate and demonstrate the final, successful log data stream into Elasticsearch, which can now be visualized in Kibana.

Mindmap

Keywords

💡Logstash

Logstash is an open-source data collection engine that is part of the Elastic Stack. In the video, it is used to ingest and process syslogs from a firewall, which are then sent to Elasticsearch for indexing and analysis. The script describes the process of installing Logstash, configuring it to receive data, and setting up filters to parse and transform the data.

💡Elasticsearch

Elasticsearch is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. In the context of the video, it is the destination where Logstash sends the processed data for indexing. The video mentions configuring Elasticsearch to work with Logstash and Kibana, which are part of the same stack.

💡Kibana

Kibana is an open-source data visualization plugin for Elasticsearch. It is used for creating visualizations and dashboards to understand and interact with the data stored in Elasticsearch. The script refers to Kibana when discussing how to visualize the data that has been ingested from the firewall via Logstash.

💡Syslog

Syslog is a standard for message logging, used widely on Unix and Unix-like operating systems. In the video, the term 'syslogs' refers to the logs generated by the presenter's firewall, which are being sent to Logstash for further processing and eventual storage in Elasticsearch.

💡Fortigate

Fortigate is a brand of network security appliances that provide firewall, antivirus, and other security services. The script mentions setting up syslog on a Fortigate device, indicating that the firewall logs from this device are the source of the data being ingested into Logstash.

💡Java

Java is a high-level, class-based, object-oriented programming language that is widely used in enterprise environments. The video script specifies that Java 11 or Java 17 is required to run Logstash, and the presenter installs Open JDK to meet this requirement.

💡YUM Repository

YUM (Yellowdog Updater, Modified) is a package management tool for Linux. In the script, the presenter uses the YUM repository to download and install Logstash on their Oracle Linux server, demonstrating a common method for software installation on Linux systems.

💡Configuration File

A configuration file in the context of the video refers to the file where the settings for Logstash are defined, such as input sources, filters, and output destinations. The script describes editing the Logstash configuration file to specify how data should be received and processed.

💡Grok Filter

The Grok filter in Logstash is used for parsing unstructured data into structured data. The script mentions using the Grok filter to parse the syslog messages, allowing for better structure and easier querying in Elasticsearch.

💡Mutate Filter

The Mutate filter in Logstash is used for transforming data, such as renaming, converting data types, removing, or adding fields. In the video, the presenter uses the Mutate filter to clean up the log data by removing unnecessary fields and creating a new timestamp field.

💡Date Filter

The Date filter in Logstash is used to parse and convert date strings into a standard format that can be used by Elasticsearch. The script describes using the Date filter to create a proper timestamp from the log date and time fields for indexing in Elasticsearch.

💡Elasticsearch Output Plugin

The Elasticsearch output plugin in Logstash is used to send the processed data to an Elasticsearch cluster. The script details configuring this plugin with the necessary settings such as hosts, index name, and security features like SSL and authentication.

Highlights

Introduction to installing Logstash for sending firewall syslogs to Elasticsearch.

Part two of a previous video series on setting up Elasticsearch and Kibana.

Requirement of Java 11 or Java 17 for Logstash installation.

Installation of Java 1.8.0 Open JDK on Oracle Linux.

Downloading and installing Logstash using the YUM repository.

Configuring Fortigate syslog server to send logs to Logstash.

Explanation of Logstash components: input, filter, and output plugins.

Setting up Logstash to receive UDP messages from Fortigate on port 5144.

Initial testing of Logstash configuration with stdout output.

Using the grok filter to parse syslog messages.

Utilizing mutate filter to clean and remove unnecessary fields from logs.

Introduction of the kv filter for parsing key-value pairs in log messages.

Creating a timestamp field from log date and time for Elasticsearch indexing.

Converting received and sent bytes to integer for data analysis.

Configuring the Elasticsearch output plugin for near real-time search and analytics.

Securing Elasticsearch connection with SSL and CA certificate.

Verification of data ingestion in Kibana's Discover feature.

Troubleshooting permissions for the CA certificate for Logstash service.

Final confirmation of successful data streaming from Fortigate to Elasticsearch.

Transcripts

00:00

hello everyone welcome to my channel

00:03

in this video i'm going to be installing

00:04

log stash and configuring it so that i

00:07

can send uh the syslogs of my firewall

00:10

uh to elasticsearch

00:13

in a previous video this is part two of

00:15

uh of another video where i installed

00:17

elasticsearch analog and kibana and

00:20

configured them i will post the link of

00:22

that video in the description

00:24

and now we need to send the data to

00:27

elasticsearch from my firewall

00:29

so we are going i'll show you first my

00:32

setup here

00:33

so last time i

00:35

installed elasticsearch and cabana got

00:37

them to talk to each other and now we

00:39

need to send fortigate syslogs

00:42

to stash do some filtering here and then

00:45

send them to elasticsearch to be able to

00:47

uh

00:50

to be uh indexed

00:53

so right here on their

00:56

website you can look at the log stash

00:59

introduction it's basically a an open

01:02

source data collection engine and i'm

01:04

going to use log stash that i am able to

01:07

do something like

01:09

enriching the data with for example guip

01:13

locations

01:14

i'm going to be doing that later on

01:17

if we go to getting started with log

01:19

stash

01:20

it tells us we need

01:23

java

01:25

and for that you need java 11 or java 17

01:28

using jdk 17

01:30

so i want to open jdk

01:33

to installing here at the top and i have

01:36

oracle linux so i run the command yum

01:38

install java 1.8.0

01:42

open jdk

01:44

and this is my server here i already ran

01:47

this command i installed java

01:50

it should not

01:51

do anything right

01:52

now okay nothing to do

01:55

i'm gonna go back to

01:57

log stash

01:59

documentation here

02:01

installing log stash i'm gonna be using

02:04

the yum repository so i'm gonna be

02:06

downloading and installing this public

02:09

signing key

02:13

just copy paste this command and i will

02:18

now create

02:20

a file and this repository called logs

02:26

logs dash dot repo

02:29

oh and i have this from before so

02:31

basically i just copy pasted this

02:34

information here and all i have to do is

02:37

say yum install log stash

02:42

now install log stash

02:48

and it will start

02:50

installing right now

02:53

i'm gonna go to my firewall

02:57

log in and see how to set up assist log

03:04

open command prompt from here

03:08

config log

03:12

syslog and with port gates you can

03:14

install or you can

03:16

setup forces log servers

03:20

i'm just going to use the first one

03:24

and i have those settings ready

03:27

status enable server the ip address of

03:30

the syslog server in my case it's going

03:31

to be the log stash server

03:33

and the port

03:35

we are sending to 5144

03:38

and if we look at the

03:40

full configuration here you can see all

03:42

the other default values

03:44

for example the format is still a

03:46

default

03:47

you can

03:49

you can use other format csv or cf or

03:51

rfc 5424

03:54

but i'm just going to keep it on the

03:55

default format

03:58

okay

04:00

let's see where it is at and it is

04:03

finished we're gonna jump right away to

04:06

the configuration file now

04:08

so nano

04:09

let's see log stash

04:12

conf d and i'm gonna

04:16

firewall.conf

04:18

this is from before so i'm gonna say

04:21

this time forty gate

04:26

48.5

04:28

okay and with logs we have three

04:32

main components of the configuration

04:34

files the input plug-in

04:37

if without

04:39

filter

04:41

plugin and the output

04:45

plugin so input

04:47

is where the data is coming from

04:49

filter is where you add filters to

04:54

basically customize how the data looks

04:57

and then output send it to wherever you

04:59

want in our case to elastic search

05:02

so i'm going to start with the input

05:06

and i'm going to open the documentation

05:09

here we can see the input plugins we

05:12

have many input plugins file i worked

05:15

with this one

05:17

and i'm going to go to the udb

05:20

udp input plugin so read messages as

05:23

events over network via udp

05:27

and the settings here i'm going to use

05:28

the host and the port

05:32

the host and the port

05:35

and

05:38

so it's a udp

05:41

plugin

05:43

the spacing is very important here

05:46

host

05:50

and this is where you put the ip of log

05:52

stash so basically the ip that logs

05:55

listens on

05:57

and then

05:58

port

06:01

i'm just going to do five one four four

06:04

five and four is this default the syslog

06:06

port

06:07

uh but if you're gonna use any port

06:11

under

06:12

1024

06:13

or the main uh or the well-known ports

06:16

i think you're gonna have to give

06:17

logstash

06:19

admin privileges or something like that

06:21

so

06:22

i'm going to use 5144

06:25

and this is basically it for the input

06:27

plugin

06:28

now filter before we do any filters i'm

06:31

just going to look at the data first and

06:34

we need to add something to the output

06:36

right now we're not going to send to

06:37

elasticsearch we want to parse it first

06:40

so to start testing i'm going to send

06:43

the output to the shell just

06:46

basically to this console right here std

06:49

out

06:50

and that's all i have to do

06:53

and something very important because we

06:55

are listening on this port

06:57

five one four four

06:58

we have to enable it i'm gonna say yes

07:01

here fortigate.gov

07:03

and i opened this

07:05

port already

07:07

firewall.cmd

07:09

list

07:11

all

07:13

and i opened this port so this is

07:15

important here as well

07:18

and to run

07:20

logstash

07:22

we're gonna go here

07:24

log stash

07:30

and dash f to specify the file

07:34

log stash conf and fortigate.com

07:52

okay takes few seconds

07:57

now we're going to be seeing all the

07:59

strata coming from the firewall

08:02

not porous not anything so see this

08:04

message here this is what we're going to

08:05

be working with

08:08

we're going to grab this message

08:11

and

08:13

we're going to start

08:19

filtering now we're going to work on the

08:21

filters the first filter i'm going to

08:23

use is

08:25

the grog filter

08:27

so

08:28

you go to the filter plug-ins uh filter

08:31

plug-ins

08:32

and where's the garage filter

08:34

grock filter a quick description here

08:36

parse arbitrary text and structure it

08:40

and you can open uh

08:43

grok

08:45

debuggers online

08:47

i did this before

08:49

so i basically copy pasted this message

08:52

whatever you have

08:56

from here for example this whole message

08:59

this is what we need to filter

09:01

or what we need to find the pattern of

09:06

so

09:07

it's basically on this format percentage

09:10

open bracket and we can see here this

09:12

number this is the syslog

09:14

5424

09:16

priority

09:18

and then percentage of greedy data and

09:19

we put them in a field called message

09:22

so now

09:24

we kind of paused it a little bit and

09:25

now we will work with this

09:29

message

09:31

okay

09:36

and

09:36

before i run i'm gonna run this command

09:40

with dash or

09:42

to reload the configurations

09:43

automatically

09:45

and i'm gonna duplicate this session

09:49

bring it here

09:55

i'm going to open the configuration file

09:57

on this side

10:00

go to gate and now i'm going to be

10:02

adding

10:04

the

10:08

filters

10:09

and it i'll save the file and it will

10:12

reload on the side automatically

10:15

so the first one we said was the growth

10:17

filter

10:18

i'm gonna copy paste from

10:24

okay so double space is important

10:30

i'm gonna copy paste from the document

10:32

here on the lab

10:34

so grog

10:35

just follow documentation how the format

10:38

of this

10:39

uh

10:40

filter works

10:42

okay so growth match and then message

10:44

and then

10:46

you'll put the pattern in

10:49

so message and then

10:51

this is the pattern and then we're going

10:54

to overwrite the message this this

10:55

message is right here

10:57

i'm gonna save

10:59

see how that looks

11:02

so now it's reloading automatically

11:06

we won't be able to see much here but

11:09

it's better than before

11:11

we don't have this is the event original

11:13

the message

11:16

i have to catch it

11:22

okay we're just gonna continue building

11:24

on the filters

11:28

the next one i'm going to do is mutate i

11:30

don't want to see all these original

11:33

events and logs and the version

11:36

of the whole of the

11:38

of the basically of the event of the log

11:40

and timestamp this is the time that the

11:43

event got

11:46

ingested in logs not the event that we

11:48

need actually

11:50

which is here of the event itself

11:55

so i'm going to remove those fields we

11:56

don't need them

11:58

control and save

12:00

let's see how it looks now

12:04

so a little cleaner now we see only the

12:06

message

12:08

so we see the message it does not have

12:09

that syslog priority value here

12:12

and now we're gonna grab this message or

12:15

we're not gonna grab it anyway we're

12:16

just gonna add another filter

12:18

that will parse each and every field by

12:21

itself

12:22

and for that we're gonna use

12:27

a filter plug-in plug-in called

12:30

kv

12:33

and we're feel we're doing a field we're

12:35

doing a field split on the on the space

12:39

so between every field see

12:40

field

12:42

and then its value and then space and

12:44

then another field and then its value

12:45

and then space

12:47

so this is what will help us parse those

12:50

um those fields so ctrl x save yes

12:56

it will reload

13:02

and now look at this we are seeing the

13:04

fields parsed but we're still seeing the

13:07

main

13:09

the main message here so we're going to

13:10

remove it because we parse them there

13:12

are individual fields

13:15

okay

13:17

we're going to do another mutate filter

13:20

and remove

13:21

that message

13:22

now we're going to do something else

13:28

so we're we're going to remove this

13:30

message the big chunky message and then

13:33

we're going to add a filter

13:34

or we're going to add a field sorry

13:38

we're going to call this field log date

13:40

and we're going to

13:41

put the value of date space and time

13:45

because you see those

13:46

date and time

13:51

if i

13:52

find them here and the first line of

13:53

this message date

13:55

space time

13:58

in

13:58

elasticsearch you need that at time

14:02

stamp you need something like this

14:05

but generated from the field values

14:08

themselves

14:09

to be able to ingest them and

14:12

index them in elasticsearch

14:14

so we're gonna do that first

14:17

we're gonna go next so

14:19

this is a step ahead

14:23

i'm gonna save that

14:26

reload

14:28

and now we have those clean fields

14:30

without that big message

14:34

okay

14:35

and now the last

14:38

filter

14:40

uh last filter

14:42

plugin is the date one

14:46

so we added this field from previous

14:48

step

14:49

we call log date it has the values of

14:52

date and time

14:53

and then we're matching

14:56

we're looking at this

14:57

log date we say

15:00

convert it to this format

15:02

year month day and then hour minute

15:05

seconds

15:06

we can set the time zone to convert

15:09

the time zone to our timezone and then

15:11

the target is at time stamp we need this

15:14

field

15:16

to um to ingest our data into

15:19

elasticsearch

15:23

so let's see what happens now

15:28

and this

15:33

i want to catch it from

15:35

the top

15:36

to be able to see

15:38

i'm going to stop it for a bit and look

15:40

at that

15:42

new timestamp field

15:45

so this timestamp field is made from

15:48

this field time

15:50

and

15:51

this field date now we don't need date

15:53

we don't need time

15:55

and definitely definitely not this log

15:57

date that we created just to create this

15:59

timestamp

16:00

so another filter one more filter

16:03

at the end

16:05

to say

16:07

i'm gonna keep this running

16:16

just say remove log date date and time

16:20

i'm also gonna we're also going to

16:22

convert received bytes and send bytes to

16:26

integer type

16:28

because we will

16:30

be able to uh

16:33

do mathematical calculations on those if

16:35

it's a string we can't add a string with

16:38

a string now

16:39

sent bytes and received whites are

16:41

integers

16:43

and we can see timestamp and we don't

16:44

see time and date anymore

16:46

now this is much cleaner than before we

16:50

are able to

16:52

send those

16:53

to elasticsearch

16:55

to do that we're going to go to the

16:57

output plugin now

16:59

and we're going to say elasticsearch

17:07

i'll show you the output plugin

17:10

and the documentation

17:14

so the last search here so we're sending

17:16

the data to elasticsearch

17:19

it'll search

17:20

this plugin

17:22

output plugin provides near near

17:24

real-time search and analytics for all

17:26

types of data so we're just sending to

17:28

elasticsearch

17:29

and there are many many options and

17:31

settings here

17:32

but what i'm going to use

17:36

is the following

17:44

okay

17:46

i don't want to copy anything wrong

17:49

okay so hosts was which is the last

17:52

search

17:53

post with https because we're

17:56

gonna use the cert ca cert

17:59

so the index we're gonna save them in a

18:02

an index called firewall

18:04

you can keep it as firewall but i added

18:07

the date of today

18:08

and then

18:09

user and password it's very secure

18:12

password i know and then we're enabling

18:14

ssl i'm saying this is the ca cert

18:19

this is closing the brackets for

18:21

elasticsearch

18:23

and now should we comment this out as cd

18:25

out

18:26

now we'll keep it so that we can make

18:28

sure that the data is still

18:31

uh running

18:32

we're gonna save

18:35

uh

18:36

yes

18:36

but it will not send right away because

18:39

we need to copy the cert from the last

18:41

search node

18:43

or from the ca

18:46

i'm just going to say yes

18:49

so it's still outputting to the console

18:52

here but not going to ask search

18:55

because we need

18:57

to copy that cert and this is

19:01

my elastic search node

19:03

scp

19:06

let's see

19:08

elasticsearch inserts

19:10

http underscore ca

19:13

now we're sending it

19:16

to 192 168 25

19:22

and

19:27

let's see log

19:31

logs

19:33

dash

19:35

oh that's correct

19:39

um

19:41

oh i did this before

19:43

history

19:47

girl scp i'm just going to copy this

19:54

no maybe the one before

19:58

this recipe

20:00

[Music]

20:02

okay host variation failed

20:05

oh because i have to

20:14

um

20:17

somehow

20:18

i need to remove this key

20:20

from here

20:24

now copy again are you sure yes

20:27

password

20:31

now the cser is added this reloaded

20:37

it's still going let us log in

20:40

to kibana

20:45

with my very secure password

20:49

and let's look

20:50

at

20:52

or go here management stack management

20:54

index management

20:57

see if we have

20:59

a firewall index and we sure do

21:04

those are from yesterday and before

21:05

yesterday and this is the new index

21:09

it's reload documents 46.

21:14

the size is increasing here

21:18

and to look at the data

21:20

we will go to data views

21:23

and oh i already added

21:25

the data view

21:27

so you can create data view and

21:29

put a name here that's what will match

21:31

the index and then we can go to

21:33

discover

21:35

and we can see the data coming in from

21:38

the firewall

21:40

let me see when was the last time before

21:42

i

21:43

broke it broke it oh that was

21:46

yesterday

21:47

i'll go back to the last 15 minutes

21:50

let's stream the data live

21:54

every 10 seconds let's say apply

21:57

and now we can see our data coming in

21:59

from the firewall

22:01

you can look at each document

22:04

um in alaska they call the document it's

22:07

the same as event the same as a log

22:10

we're looking at this document it is

22:13

a ping

22:14

um

22:17

media player i don't know destination ip

22:21

so now you can look at your data

22:24

visualize the data build dashboards i'll

22:27

do another video of some examples

22:30

of building a dashboard

22:32

and this is basically

22:34

how you configure logstash

22:37

to send the data i'm going to stop this

22:40

right here oh actually

22:42

i stopped it

22:46

and now the data will will stop

22:48

streaming into

22:50

i need to do

22:52

another thing here

22:55

i don't want to stream

22:59

to the shell so i'm going to comment

23:01

this out

23:03

and i'm going to run

23:08

from either one i'm going to run lux as

23:11

a service

23:14

start log stash hopefully this does not

23:17

break

23:18

it shouldn't break status

23:22

logs service

23:24

now after i started the logs service

23:27

it stopped logging in cabana i fixed it

23:30

but it stopped logging and the reason

23:32

was

23:33

i needed to give permission to

23:35

the certificate i'll show you what

23:41

what permissions i gave it

23:44

log stash

23:46

so this is the certificate i copied over

23:49

and i gave it six six zero

23:52

so change mod or

23:55

mod

23:56

zero and

24:00

this command this file

24:02

and also

24:05

i gave log stash user permission also

24:08

change

24:09

owner like this

24:12

root log stash

24:14

and the same

24:16

same file okay

24:19

and after that i started the service and

24:21

it worked

24:23

uh it worked again

24:26

so there's a lot of troubleshooting

24:28

while doing this

24:29

but hopefully this video was um

24:33

was informative

24:35

and it helped you

24:36

configure logstash

24:38

you can use it to ingest data from

24:41

basically anything

24:44

and this is my data running

24:46

and

24:47

ingesting it's coming into elasticsearch

24:50

thank you for watching and i will see

24:52

you in the next one

Browse More Related Video

RSLogix 5000 Analog Input Programming | Wiring Scaling Tutorial for PLC Analog Input Signal Example

How to deploy a NextJS app on Digital Ocean instead of Vercel

CSS NC II COC 3: SET UP COMPUTER SERVER. #computersystem #computernetwork #computerrepair #css

[TUTORIAL 1] DASAR MENGGUNAKAN TOTAL STATION TOPCON GM-101 SERIES | ANAK TEKNIK

CARA INSTALL DAN KONFIGURASI DHCP SERVER PADA LINUX UBUNTU SERVER 23.10 (ISC DHCP SERVER)

#03 💻 Membuat Project Laravel Baru menggunakan Docker Container

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Related Tags

LogstashElasticsearchSyslogsFirewallConfigurationData IngestionKibanaNetwork SecurityData FilteringIT TutorialSystem Monitoring