[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: [security-onion] S02 Logstash Parsing
From: "'Josh' via security-onion" <security-onion () googlegroups ! com>
Date: 2021-03-26 19:55:36
Message-ID: a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
As we work on migrating to SO2 we're currently trying to get logs /
functions up and running ASAP and then working on Elasticsearch pipeline
ingestion.
We'd like for the meantime to use the logstash confs we had in place.
Following:
https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing
1. I updated the minion for the heavy forwarder adding
logstash:
pipelines:
search:
config:
- custom/custom_logstash_conf.jinja
2. Placed the conf in
/opt/so/saltstack/local/salt/logstash/pipelines/config/custom/
3. Did an so-elastic-restart
4. Not sure if of interest, but the "local" dir on the heavy forwarder is
empty.
Logs are not being parsed. I don't think I'm missing anything additional in
the docs. Thanks in advance!
--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To view this \
discussion on the web visit \
https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com.
[Attachment #5 (text/html)]
<br><div>As we work on migrating to SO2 we're currently trying to get logs / \
functions up and running ASAP and then working on Elasticsearch pipeline \
ingestion.</div><div><br></div><div>We'd like for the meantime to use the logstash \
confs we had in place.</div><div><br></div><div>Following:</div><div>https://docs.securityonion.net/en/2.3/logstash.html#logstash-parsing</div><div><br></div><div>1. \
I updated the minion for the heavy forwarder adding</div><div>logstash:<br> \
pipelines:<br> search:<br> \
config:<br> - \
custom/custom_logstash_conf.jinja</div><div><br></div><div>2. Placed the conf in \
<span><span>/opt/so/saltstack/local/salt/logstash/pipelines/config/custom/</span></span></div><div><span><span><br></span></span></div><div><span><span>3. \
Did an so-elastic-restart</span></span></div><div><span><span><br></span></span></div><div><span><span>4. \
Not sure if of interest, but the "local" dir on the heavy forwarder is empty. \
<br></span></span></div><div><span><span><br></span></span></div><div><span><span>Logs \
are not being parsed. I don't think I'm missing anything additional in the docs. \
Thanks in advance!</span></span></div><div><span><span><br></span></span></div><div><span><span><br></span></span></div>
<p></p>
-- <br />
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!<br />
<a href="https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion. \
html">https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html</a><br \
/>
--- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br \
/> To view this discussion on the web visit <a \
href="https://groups.google.com/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7 \
cffb3n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.co \
m/d/msgid/security-onion/a654f1d5-faab-49ac-a7ab-c88cbf7cffb3n%40googlegroups.com</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic