Cynet is a cybersecurity asset management platform. This topic describes how to send system logs from your Cynet platform to Logz.io.

Before you begin, you’ll need:

  • An active Cynet license
  • Cynet login credentials
  • An active account with Logz.io
  • Filebeat installed on a dedicated machine (acting as a syslog server)
  • Root priveleges on your machines
Configure Cynet to send syslog notifications to a remote Syslog server running Filebeat
  1. On your Cynet web interface, go to Setting > Advanced. Advanced options
  2. Select the box beside Send Audit Records to SIEM.
  3. Go to Configuration > SIEM settings and enable the following configuration: SIEM settings before
    • UDP
    • IP - public IP address of your syslog server
    • Port - port that is configured on your syslog server. We use 9000 in this example, but you can change it to your preference.
  4. Press Add. The added IP and port will appear on the screen. SIEM settings after

These instructions are based on UDP. If you want to use TCP, make sure your syslog server configuration is aligned with this.

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
  1. Paste the following into the inputs section of the Filebeat configuration file:

Filebeat requires a file extension specified for the log input.

   filebeat.inputs:
   - type: udp
     max_message_size: 10MiB
     host: "0.0.0.0:9000"
     fields:
       logzio_codec: json
       # Your Logz.io account token. You can find your token at
       #  https://app.logz.io/#/dashboard/settings/manage-accounts
       token: <<LOG-SHIPPING-TOKEN>>
       type: cynet
     fields_under_root: true
     encoding: utf-8
     ignore_older: 3h
   filebeat.registry.path: /var/lib/filebeat
   processors:
   - rename:
       fields:
       - from: "agent"
         to: "filebeat_agent"
       ignore_missing: true
   - rename:
       fields:
       - from: "log.file.path"
         to: "source"
       ignore_missing: true
   output.logstash:
     hosts: ["<<LISTENER-HOST>>:5015"]
     ssl:
       certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
  • 9000 is the port we suggest. If you use a different port, replace the default values with your parameters.
  • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
  • Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
  1. Run Filebeat with the new configuration.
Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type cynet to see the incoming logs.

If you still don’t see your logs, see Filebeat troubleshooting.