Filebeat Configuration (ELK Stack)

ComodoSecurity / openedr

Open EDR public repository

Other

2.19k stars 434 forks source link

Filebeat Configuration (ELK Stack) #19

Closed Crypt0Fox closed 3 years ago

Crypt0Fox commented 3 years ago

Hi,

can someone share their Filebeat.yml configuration file? I can't seem to configure it right to show the logs that the OpenEDR collects... it only sends the metadata etc...

My filebeat.yml configuration:

**filebeat.inputs:

type: log enabled: true paths:
- c:\programdata\edrsvc\log\output_events* json.keys_under_root: true json.add_error_key: true json.message_key: log**

Maybe something to do with multiline.pattern?

unnamed (1) unnamed

Thanks ahead!

koraycomodo commented 3 years ago

You can use the following multiline configuration:

filebeat.inputs:
- type: log
enabled: true
paths:
- C:/ProgramData/edrsvc/log/output_events/*.log
multiline.type: pattern
multiline.pattern: '^{$'
multiline.negate: true
multiline.match: after
processors:
- decode_json_fields:
fields: ["message"]
target: "json"

michaelhidalgo commented 3 years ago

I believe is because of this https://github.com/ComodoSecurity/openedr/issues/14 and this https://github.com/ComodoSecurity/openedr/issues/9

The issue seems to have been fixed, however, there has not been any new release with a new agent so it can be confirmed.

Crypt0Fox commented 3 years ago

Thanks a lot!

Output is still scrambled-a-lot but at least I am receiving the contents of the log instead of just the metadata