Filebeat Logstash to Microsoft Sentinel
Filebeat Logstash to Azure Sentinel
In this new post we are going to explore how to send events/logs to Azure Sentinel using Filebeat and Logstash.
How to install and Configure Filebeat:
Filebeat can be downloaded from here: https://www.elastic.co/downloads/beats/filebeat
To install filebeat run the following commands (on Ubuntu 18 in my case)
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install filebeat
Filebeat comes with some available log modules such as the following modules
For example, let's enable the system module:
sudo filebeat modules enable system
Edit the config file:
sudo vi /etc/filebeat/filebeat.yml
Comment Elasticsearch Output section and uncomment Logstash output:
Start Filebeat
sudo service filebeat start
To check its status type:
sudo service filebeat status
How to install and Configure Logstash
Logstash is a free and open server-side data processing pipeline that ingests data from a multitude of sources, transforms it, and then sends it to your favorite "stash." (Source: Elastic.io)
Logstash can be downloaded from here: https://www.elastic.co/downloads/logstash
sudo apt install -y openjdk-8-jdk
sudo apt-get install logstash
Enter /etc/logstash/conf.d/
cd /etc/logstash/conf.d/
Create a new config file:
sudo vi Azure-Sentinel.conf
add the folllowing content
input {
beats {
port => "5044"
}
}
filter {
}
output {
microsoft-logstash-output-azure-loganalytics {
workspace_id => "<your workspace id>"
workspace_key => "<your workspace key>"
custom_log_table_name => "tableName"
}
}
More configurations can be found here: https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash
Start logstash
sudo service logstash start
Now you can query events by selecting the table name