Configure Logstash Output Plugins

Logstash TCP Output

In order to send the events from Logstash to NetWitness, we use the TCP output plugin: https://www.elastic.co/guide/en/logstash/current/plugins-outputs-tcp.html

The TCP output is configured with the NetWitness codec, which formats the outgoing events to be consumable by a NetWitness Log Decoder or Virtual Log Collector (VLC).

The following is an example of a properly configured output block using TCP & the NetWitness codec:

Copy

Output Block

output {
tcp {
id => "nw-output-tcp"
host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
port => 514
codec => netwitness
}
}

Logstash TLS Output

The output block can be further configured to allow for TLS communication between Logstash and NetWitness. An example of a properly configured output block using TLS and the NetWitness codec:

Copy

TLS Output Block

output {
tcp {
id => "nw-output-tcp"
host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
port => 6514
ssl_enable => true
codec => netwitness
}
}

TLS with Log Decoder (or Virtual Log Collector) Verification

TLS can also be set up to verify the Log Decoder or Virtual Log Collector (VLC) to which it will be communicating. To do this, the Root and Intermediate CA certificates need to be obtained and stored in a truststore for Logstash.

  1. On the Log Decoder (or VLC) to which you will be sending events, run the following command:

    cat /etc/pki/nw/ca/nwca-cert.pem /etc/pki/nw/ca/ssca-cert.pem > nw-truststore.pem

  2. Copy the nw-truststore.pem file to the Logstash machine and store it in a known location.
  3. Create a certificate for the Logstash machine using a self-signed CA or your own CA.
  4. Store the cert and private key files in a location of your choosing.

    Note: You need to specify the locations of these files in your TLS output block.

The following code snippet shows an example of a properly configured output block using TLS and the NetWitness codec

Copy

Output Block with Verification

output {
tcp {
id => "nw-output-tcp"
host => "10.10.1.2" #IP or Hostname of destination Log Decoder or VLC
port => 6514
ssl_enable => true
ssl_verify => true
ssl_cacert => "/path/to/certs/nw-truststore.pem"
ssl_key => "/path/to/certs/privkey.pem"
ssl_cert => "/path/to/certs/cert.pem"
codec => netwitness
}
}