SourcesForwardersLogstash

Logstash Log Forwarder

Logstash can be configured to send data to RunReveal using the HTTP output plugin. It’s designed to collect, parse, filter, and forward logs to various destinations, making it ideal for sending data to RunReveal.

Quick Start

This setup demonstrates reading logs from a local file and forwarding them to your RunReveal webhook. The example creates test JSON logs, configures Logstash to monitor the log file, and sends events to RunReveal in real-time.

Step 1: Create a Webhook Source in RunReveal

This step creates a webhook source in RunReveal and generates the webhook URL you’ll need for Logstash configuration.

  1. Navigate to RunReveal: Go to your RunReveal dashboard
  2. Create Source: Click on “Sources” in the left sidebar
  3. Add Webhook: Create a source for “Structured Webhook or Generic Webhook” based on your data format.
  4. Configure: Give your webhook a name and description
  5. Copy URL: Copy the generated webhook URL to use in your configuration. (It’s always available after you save the source)

Step 2: Install Logstash

This step installs Logstash on your system using your preferred method. Logstash will be used to collect, process, and forward logs to RunReveal.

# Install using Homebrew
brew install logstash
 
# Create config directory
mkdir -p ~/.config/logstash
 
# Verify installation
logstash --version

Step 3: Create Test Logs

This step creates sample log files with security events that Logstash will monitor and forward to RunReveal. These logs simulate real application events for testing purposes.

# Create logstash directory for testing
mkdir -p logstash
cd logstash
 
# Create sample application logs
cat > application.log << EOF
{"eventName":"UserLogin","eventTime":"2024-01-15T10:30:00Z","readOnly":false,"actor":{"email":"[email protected]","id":"SVC111111","username":"service_account"},"src":{"ip":"192.168.1.108","port":443},"service":{"name":"logstash-application"},"tags":{"environment":"production","source":"logstash"}}
{"eventName":"FileAccess","eventTime":"2024-01-15T10:31:00Z","readOnly":true,"actor":{"email":"[email protected]","id":"CFG222222","username":"config_manager"},"src":{"ip":"192.168.1.109","port":443},"service":{"name":"logstash-application"},"tags":{"environment":"production","source":"logstash"}}
{"eventName":"DataExport","eventTime":"2024-01-15T10:32:00Z","readOnly":false,"actor":{"email":"[email protected]","id":"LOG333333","username":"log_exporter"},"src":{"ip":"192.168.1.110","port":443},"service":{"name":"logstash-application"},"tags":{"environment":"production","source":"logstash"}}
EOF
 
# Verify logs were created
ls -la application.log
cat application.log

Step 4: Configure Logstash

This step creates the Logstash configuration file that defines how to collect logs and send them to RunReveal.

# logstash.conf
input {
  file {
    path => "application.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}
 
filter {
  json {
    source => "message"
  }
  
  mutate {
    add_field => {
      "eventName" => "LogEvent"
      "eventTime" => "%{@timestamp}"
      "readOnly" => false
      "service.name" => "application"
      "tags.source" => "logstash"
    }
  }
}
 
output {
  http {
    url => "YOUR_WEBHOOK_URL"
    http_method => "post"
    headers => {
      "Content-Type" => "application/json"
    }
    format => "json"
    mapping => {
      "eventName" => "%{eventName}"
      "eventTime" => "%{eventTime}"
      "readOnly" => "%{readOnly}"
      "message" => "%{message}"
      "service" => {
        "name" => "%{service.name}"
      }
      "tags" => {
        "source" => "%{tags.source}"
      }
    }
  }
}

Step 5: Start Logstash

This step starts Logstash with your configuration, which will begin monitoring the log files and forwarding events to RunReveal in real-time. Logstash will continuously watch for new log entries and send them to your webhook.

# Validate configuration
logstash -f logstash.conf --config.test_and_exit
 
# Test configuration locally (optional)
logstash -f logstash.conf --config.test_and_exit --verbose
 
# Run Logstash in foreground
logstash -f logstash.conf
 
# Run Logstash in background
logstash -f logstash.conf -d

Local Testing Commands:

# Test with a simple HTTP endpoint first
curl -X POST http://localhost:8080/test -H "Content-Type: application/json" -d '{"test": "data"}'
 
# Test Logstash configuration with local file output
# Create a test config that outputs to a local file instead of HTTP
cat > logstash-test.conf << EOF
input {
  file {
    path => "application.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
  }
}
 
output {
  file {
    path => "/tmp/logstash-test.log"
    codec => json
  }
}
EOF
 
# Run test configuration
logstash -f logstash-test.conf
 
# Check the test output
tail -f /tmp/logstash-test.log

Step 6: Validate Delivery

This step verifies that logs are successfully being delivered to RunReveal by checking the webhook source and querying for events.

  1. Check Webhook Source: Go to RunReveal → Sources → Your webhook source
  2. View Recent Events: Look for recent events in the source details
  3. Query for Events: Use the query sourceType = 'webhook' or sourceType = 'structured-webhook' to find your events

Logstash Configuration

Inputs

Inputs collect data from various sources. For RunReveal, you’ll typically use file inputs or system inputs. See the Logstash Input Plugins Reference for comprehensive documentation.

File Input Example

input {
  file {
    path => "/var/log/app/*.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    type => "application"
  }
}

Collects application logs in JSON format, perfect for security event analysis and compliance reporting.

System Input Example

input {
  file {
    path => "/var/log/syslog"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    type => "system"
  }
}

Captures system authentication and authorization events, essential for security monitoring and threat detection.

Docker Input Example

input {
  file {
    path => "/var/lib/docker/containers/*/*.log"
    start_position => "beginning"
    sincedb_path => "/dev/null"
    type => "container"
  }
}

Monitors containerized applications for security incidents, performance issues, and compliance violations.

Next Steps

Now that you have Logstash configured and logs flowing to RunReveal, explore the detailed configuration guides:

  • Detections - Create and manage security detection rules
  • Sigma Streaming - Use Sigma rules for standardized threat detection
  • Detection as Code - Manage detections through code and version control
  • Notifications - Set up alerting and notification channels
  • AI Chat - Use AI-powered analysis for threat hunting and investigation
  • Enrichments - Add context and metadata to your security events
  • Filters - Create custom filters to focus on specific security events

Troubleshooting

Common Issues

  1. Logstash won’t start: Check the configuration syntax and file permissions
  2. No logs being sent: Verify the log file paths exist and are readable
  3. Webhook errors: Check that your webhook URL is correct and accessible
  4. Permission issues: Ensure Logstash has read access to your log files

Debug Commands

# Check Logstash status
sudo systemctl status logstash
 
# View Logstash logs
sudo journalctl -u logstash -f
 
# Test webhook connectivity
curl -v YOUR_WEBHOOK_URL
 
# Test configuration syntax
logstash -f logstash.conf --config.test_and_exit
 
# Run Logstash in debug mode
logstash -f logstash.conf --debug

Performance Recommendations

Best Practices:

  1. Worker Threads: Configure appropriate worker threads for your log volume
  2. Batch Processing: Adjust batch sizes for optimal throughput
  3. Memory Limits: Set appropriate heap size to prevent OOM issues
  4. Retry Logic: Configure retry settings for failed webhook requests
  5. Monitoring: Set up alerts for Logstash service failures

Resources

DatadogTransforms