Configure Logstash Output Plugins

Logstash TCP Output

In order to send the events from Logstash to NetWitness, we use the TCP output plugin: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-tcp.html

The TCP output is configured with the NetWitness codec, which formats the outgoing events to be consumable by a NetWitness Log Decoder or Virtual Log Collector (VLC).

The following is an example of a properly configured output block using TCP & the NetWitness codec:

Copy

Output Block

output {
  tcp {
    id => "nw-output-tcp"
    host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
    port => 514
    codec => netwitness
  }
}

Logstash TLS Output

The output block can be further configured to allow for TLS communication between Logstash and NetWitness. An example of a properly configured output block using TLS and the NetWitness codec:

Copy

TLS Output Block

output {
  tcp {
    id => "nw-output-tcp"
    host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
    port => 6514
    ssl_enable => true
    codec => netwitness
  }
}

TLS with Log Decoder (or Virtual Log Collector) Verification

TLS can also be set up to verify the Log Decoder or Virtual Log Collector (VLC) to which it will be communicating. To do this, the Root and Intermediate CA certificates need to be obtained and stored in a truststore for Logstash.

  1. On the Log Decoder (or VLC) to which you will be sending events, run the following command:

    cat /etc/pki/nw/ca/nwca-cert.pem /etc/pki/nw/ca/ssca-cert.pem > nw-truststore.pem

  2. Copy the nw-truststore.pem file to the Logstash machine and store it in a known location.
  3. Create a certificate for the Logstash machine using a self-signed CA or your own CA.

  4. Store the cert and private key files in a location of your choosing.

    Note: You need to specify the locations of these files in your TLS output block.

The following code snippet shows an example of a properly configured output block using TLS and the NetWitness codec

Copy

Output Block with Verification

output {
  tcp {
    id => "nw-output-tcp"
    host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
    port => 6514
    ssl_enable => true
    ssl_verify => true
    ssl_cacert => "/path/to/certs/nw-truststore.pem"
    ssl_key => "/path/to/certs/privkey.pem"
    ssl_cert => "/path/to/certs/cert.pem"
    codec => netwitness
  }
}