How to Send Atomic Data to ELK Stack - AP
*Please note: if there is already an ELK stack environment set-up in your environment, some configurations in filebeat.yml and/or /etc/logstash/conf.d may need to be adjusted to connect to your upstream ELK stack. This can be items such as sockets, SERVER IP, listening ports, etc.
Enable HIDS JSON OUTPUT so that alerts come through in JSON format which is supported by ELK:
- IN the GUI, go to : Atomic Protector >> AP Configuration >> Host Intrusion Detection System (Left panel) >> Enable JSON log output >> click Save:
-
This can also be done in the terminal.
vi /etc/asl/config
Edit and change HIDS_OUTPUT_JSON=”no” to “yes”
run: asl -s -f so the changes take effect.
Enable the Elasticsearch repo and download Filebeat:
- Copy and paste this directly on the terminal:
cat << EOF > /etc/yum.repos.d/elasticsearch.repo yum -y install filebeat |
- Remove the filebeat.yml file and create a new one to add the template below with the correct configuration:
rm /etc/filebeat/filebeat.yml |
Once you’re in the file, hit the “i” button for ability to insert content. Copy and paste the contents below in the file. CHANGE “SERVER” TO IP. Save it by hitting esc and then type :x
filebeat: |
- Enable and Restart filebeat on the terminal:
systemctl enable filebeat |
- Check to make sure filebeat is running:
systemctl status filebeat |
Lastly, go to /etc/logstash/conf.d/listen.conf on the ELK Stack that’s already provisioned and copy this template into the file. If the file doesn’t exist, create it. This template will create the index for atomicorp-alerts-3.3.x-* :
input { |
- Restart logstash so this template takes effect and check to make sure it’s running:
systemctl restart logstash |
When these configs are made, go to the Kibana interface navigate to “Management” and under Kibana Settings click “Index Pattern” >> create new index >> type “atomicorp-alerts-3.3.-x*
This should bring up the atomicorp-alerts-3.3.-* index pattern. Save the pattern and overtime the indices will start to populate. This may take some time as the elasticsearch database is querying. Please give it time.