...
The configuration of Filebeat is done by editing the /etc/filebeat/filebeat.yml file. Filebeat will be configured to forward the data towards Logstash.
3.1.1. RADIUS Server
In the following, you are required to insert the FQDN to which the logs will be forwarded. This FQDN is in the form "WASHOSTNAME-elastic.WASSUFFIX". For example, if the FQDN of the WAS is "was.example.org", you will have to insert "was-elastic.example.org".
The following is the Filebeat configuration on the RADIUS server that forwards data to Logstash:
/etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths: /path/to/your/radius_logs
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
output.logstash:
hosts: [ "FQDNWASHOSTNAME-elastic.unil.cloud.switch.chWASSUFFIX:5044" ]
ssl.certificate_authorities: [ "/etc/filebeatssl/certs/ca-certificates.crt" ]
processors:
- add_fields:
target: ''
fields:
logtype: radius
- drop_fields:
fields: [ 'input' , 'host' , 'agent' , 'acs' , 'log' , 'ecs' ]
|
...
filebeat.inputs:
- type: log
enabled: true
paths: /path/to/your/dhcp_logs
include_lines: [ 'DHCPACK' ]
output.logstash:
hosts: [ "FQDNWASHOSTNAME-elastic.example.orgWASSUFFIX:5044" ]
ssl.certificate_authorities: [ "/etc/filebeatssl/certs/ca-certificates.crt" ] processors:
- add_fields:
target: ''
fields:
logtype: dhcp
- drop_fields:
fields: [ 'input' , 'host' , 'agent' , 'acs' , 'log' , 'ecs' ]
|
...
set +o history
filebeat setup --index-management \
-E output.logstash.enabled= false \
-E 'output.elasticsearch.hosts=["FQDNWASHOSTNAME-elastic.example.orgWASSUFFIX:443"]' \
-E output.elasticsearch.protocol=https \
-E output.elasticsearch.username=elastic \
-E output.elasticsearch.password=elastic-password-goes-here \
-E 'output.elasticsearch.ssl.certificate_authorities=["/etc/filebeatssl/certs/ca-certificates.crt"]'
set -o history
|
...