Axonius is a cybersecurity asset management platform. This topic describes how to send system logs from your Axonius platform to Logz.io.
Before you begin, you’ll need:
- An active account with Axonius
- An active account with Logz.io
- Filebeat installed on your machine
- Root priveleges on your machines
Configure Axonius to send syslog notifications to a remote Syslog server running Filebeat
- On your Axonius web interface, go to System Settings > Global Settings > Syslog Settings.
- Select Use Syslog.
- Enter the IP address of your remote syslog server into the Syslog host field. This is the server where you run Filebeat.
- Enter the port number into the Port field.
- Select UDP in the Protocol menu.
By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
- Paste the following into the inputs section of the Filebeat configuration file:
Filebeat requires a file extension specified for the log input.
filebeat.inputs:
- type: udp
max_message_size: 10MiB
host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514"
fields:
logzio_codec: plain
# Your Logz.io account token. You can find your token at
# https://app.logz.io/#/dashboard/settings/manage-accounts
token: <<LOG-SHIPPING-TOKEN>>
type: axonius
fields_under_root: true
encoding: utf-8
ignore_older: 3h
filebeat.registry.path: /var/lib/filebeat
processors:
- rename:
fields:
- from: "agent"
to: "filebeat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true
output.logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
- Replace
<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>
with the address of your server running Filebeat. - Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
- Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
- Run Filebeat with the new configuration.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type axonius
to see the incoming Axonius logs.
If you still don’t see your logs, see Filebeat troubleshooting.