This document is intended to provide a general overview of Logstash and NetWitness integration. The intention is to provide enough implementation detail that users can have comfort using and troubleshooting these integrations on their own.

To describe Logstash, here is some introductory text from Logstash reference documentation:

Logstash is an open source data collection engine with real-time pipelining capabilities. Logstash can dynamically unify data from disparate sources and normalize the data into destinations of your choice…

From a NetWitness standpoint, there are two basic use cases:

  • For customers that have an event source for which NetWitness does not already provide an integration, or if you want a customized integration that is different from the one provided by NetWitness.
  • For customers that already have an existing Logstash configuration, you can use Logstash to integrate as many of your event sources as you like. Integrating your event sources should be a matter of updating the destination for where you currently send the log information: either adding NetWitness as a destination, or changing your current output destination to NetWitness.

Note: From 11.6 onwards, the Logstash server is packaged and supported along with the NetWitness Log Collector or Virtual Log Collector (VLC) service to provide easy access to Logstash. This is referred to as Managed Logstash and it eliminates the need for a separate Logstash server outside of the NetWitness Platform. For more information, see Configure Logstash Event Sources in NetWitness in the Log Collection Configuration Guide.

The following diagram displays a view of how Logstash integrates with the NetWitness.