Logs can be ingested from logstash via 2 methods:
- Via wazuh agent
- Via syslog
Via wazuh agent
Essentially the flow will be:
Log-source → Logstash → Temp file → Wazuh agent → Wazuh
Steps Summary:
- Configure logstash to write to a specific file
- Install wazuh agent in the logstash instance [in case of a VM]
- Configure Wazuh agent to monitor a local log file.
- Add rules in wazuh to parse the logstash logs.
This method would require additional storage, hence monitoring the memory consumption is essential, to ensure that this doesn’t fail, this can be done via auto purge of the created logfile.
This method also introduces a single point of failure which is the created logfile
Via syslog
Log flow will be as follows:
Log-source → Logstash → output_to_syslog plugin → Wazuh
Steps Summary:
- Create a filebeat deployment with your application
- Configure filebeat to push logs into logstash
- Install output_to_syslog plugin in logstash via init pod
- Configure logstash to push output into wauzh via output_to_syslog plugin
- Configure Wazuh to Monitor specific port for syslog logs, configuration below
- Add decoders and rules in wazuh to parse the logstash logs.
syslog over ssl is possible, certificate must be loaded in the container, and configuration changes for the same are required. Reference: Syslog output plugin | Elastic Documentation