01. 07. 2020 Gianluca Piccolo Log Management, Log-SIEM, NetEye

Log Manager Beats: Log Files Signature and Compression

Beats is the new method for log acquisition introduced in the latest releases of NetEye 4. It’s a system fully integrated with the Elastic Stack. The Beats agents send logs directly to Logstash, which then forwards them to Elastic. Logstash also writes each log received into files on the file system (at the same location as Rsyslog).

However, the Beats agent configuration is not yet integrated into the configuration web interface of NetEye 4 Log Manager.

To improve the integration of the Beats agents on NetEye 4 Log Manager and enable the automatic signature and compression procedure with the log files written by Logstash, you need to perform the following steps:

  1. Open the NetEye 4 web interface and log in
  2. Go to the Director module
  3. Create a new host template – let’s call it “beats-hosts”
  4. Select a “Check command” – for this guide let’s select “Ping”
  5. Open the “Custom properties”
  6. In the “Safed Profile” dropdown, select “No agent was found”
  7. Save the host template
  8. Create a new host
  9. Select the “beats-hosts” template
  10. The name of the new host must be the same as the host name of one of the hosts that sends logs to NetEye 4 via Beats (be sure to also set it correctly in the host)
  11. Set the correct host IP
  12. Save the host
  13. Repeat Steps 8 to 12 for every host that sends logs to NetEye 4 via Beats
  14. Deploy the Director configuration
  15. Go to the Log Manager module
  16. You should now see all the “beats-hosts” in the “Host” section

With this configuration, the scheduled job that signs and compresses the logs every night will now also take into consideration the files written by Logstash (coming from the Beats agents) that otherwise would be ignored. Furthermore, in the NetEye 4 Log Manager module “Log Check” section you will also find the status of the block chain of these logs.

Gianluca Piccolo
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.

Author

Gianluca Piccolo

Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.

Leave a Reply

Your email address will not be published.

Archive