Sending logs remotely via filebeats

[YamatoSecurity]

At first I was thinking of creating a new alert-elastic command to natively send logs to a central Elastic Stack SIEM but the elastic-rs Rust client does not seem to be maintained and is still in Alpha so we should probably rely on Filebeats to send the logs instead. Filebeats will allow better compatibility and stability with Logstash and allow for throttling, etc...

For the first phase, we can just focus on sending the logs one time, but after that it would be nice to be able to do periodic threat hunting scans and only send the alerts that differ.

Here is the notes I wrote up about how we might implement this in the future:

If the alerts are sent successfully then the following information is written to the sent-alerts.csv file. (If the file already exists, then the file is updated) Timestamp (Original ISO-8601 timestamp), Rule ID, Rule Title Before Hayabusa sends the alerts, it checks the Timestamp and Rule ID in this file. If the timestamp and rule ID match, then we assume that the alert was previously sent and the alert does not get sent again. The Rule Title is not needed for checking as the title may be changed over time, however, I want to save it to help out when debugging.

[hitenkoku]

@YamatoSecurity Thank you for raising the issue. I basically don't see the problem, but I am concerned that the size of the csv file is getting bigger and bigger each time I do it.

For example, how about writing only the latest timestamp in the File and deeming anything before that time to have been sent?

[YamatoSecurity]

@hitenkoku Thank you for your comment! Indeed, the CSV file will get bigger and bigger over time but should not double the log size. What about keeping the file compressed? That will reduce the file by 10x or more. Maybe we can use something like rust-brotli or brotlic ?

The problem with just writing the latest timestamp and scanning recent logs is that Hayabusa won't be able to find past incidents (perform threat hunting) which is the main goal. It would just become an inferior host IDS which I couldn't really recommend to use.

[YamatoSecurity]

How about we also not include the Rule Title in the CSV file which will save space. I thought it might be useful for debugging but now that I think about it we probably do not need it. If it is just timestamps and rule IDs, the file should not get too big. And if we compress it, it should become pretty small.

[hitenkoku]

Thanks for the comment.

I think Timestamp and Rule ID are sufficient for the contents of the csv.

I will try to create one.

[hitenkoku]

@YamatoSecurity Would it be correct to sort the following config in alphabetical order of the long option?

Elastic Settings:
      --strict               strict mode: do not only warn, but abort if an error occurs
  -i, --index <INDEX_NAME>   name of the elasticsearch index
  -H, --host <HOST>          server name or IP address of elasticsearch server
  -P, --port <PORT>          API port number of elasticsearch server [default: 9200]
      --proto <PROTOCOL>     protocol to be used to connect to elasticsearch [default: https] [possible values: http, https]
  -k, --insecure             omit certificate validation
  -U, --username <USERNAME>  username for elasticsearch server [default: elastic]
  -W, --password <PASSWORD>  password for authenticating at elasticsearch 

[YamatoSecurity]

@hitenkoku Yes, let's organize this in alphabetical order of the long options:

Elastic Settings:
  -H, --host <HOST>          server name or IP address of elasticsearch server
  -i, --index <INDEX_NAME>   name of the elasticsearch index
  -k, --insecure             omit certificate validation
  -W, --password <PASSWORD>  password for authenticating at elasticsearch 
  -P, --port <PORT>          API port number of elasticsearch server [default: 9200]
      --proto <PROTOCOL>     protocol to be used to connect to elasticsearch [default: https] [possible values: http, https]
      --strict               strict mode: do not only warn, but abort if an error occurs
  -U, --username <USERNAME>  username for elasticsearch server [default: elastic]

[YamatoSecurity]

This is going to take a while to test so I changed the milestone to 2.4.0. Maybe release next month in April?

[fukusuket]

Filebeats

• https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html
• https://www.elastic.co/guide/en/beats/filebeat/current/how-filebeat-works.html
• https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html
• https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-filestream.html#filebeat-input-filestream-ndjson
• https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
• https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ingest-node.html
• https://www.elastic.co/guide/en/elasticsearch/reference/8.15/json-processor.html
• https://www.elastic.co/guide/en/elasticsearch/reference/8.15/csv-processor.html
• https://qiita.com/nfwork01/items/0f36305bed35d7d8bb98

[fukusuket]

Logstash

• https://qiita.com/nskydiving/items/0cb598de7ffb5c22424d
• https://www.elastic.co/guide/en/logstash/current/plugins-filters-csv.html
• https://www.elastic.co/guide/en/logstash/current/output-plugins.html
• https://www.elastic.co/guide/en/logstash/current/installing-logstash.html

[fukusuket]

Install Elasticsearch (Ubuntu 22.04 LTS)

1. https://www.elastic.co/guide/en/elasticsearch/reference/current/targz.html#install-linux
2. https://www.elastic.co/guide/en/elasticsearch/reference/current/targz.html#targz-running
3. https://qiita.com/nobuhikosekiya/items/7441186795b3da998e2f