Skip to main content

BUNNY.NET

BUNNY.NET is a content delivery network offering features and performance with a fast global network. This document describes how to send system logs from your bunny.net pull zones to Logz.io.

Before you begin, you'll need:

  • An active account with bunny.net
  • An active Logz.io account
  • Filebeat installed on your machine
  • Root priveleges on your machines

Configure bunny.net to send syslog notifications to a remote Syslog server running Filebeat

  1. Log in to your bunny.net account and navigate to the details page of the Pull Zone that you need to select logs from.
  2. On the left side panel, select Security > Logging.
  3. Make sure the switches for Enable logging and Enable log forwarding are on.
  4. In the Syslog Endpoint section, enter the IP address of your remote syslog server into the Hostname field. This is the server where you run Filebeat.
  5. Enter the port number into the Port field.
  6. Select UDP from the Log Server Protocol menu.
  7. Select Plain text from the Log Format menu.
  8. Select Save Forwarding Configuration. Bunny
note

By default, syslog will be forwarded over port 6514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Install the bunny.net certificate on your Filebeat server

Bunny.net sends encrypted data, so you'll need to create a dedicated bunny.net certificate to decrypt the logs by the Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/BunnyNet.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/BunnyNet.crt

Download the Logz.io public certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

note

Filebeat requires a file extension specified for the log input.

  1. Paste the following into the inputs section of the Filebeat configuration file:

    filebeat.inputs:
    - type: udp
      max_message_size: 10MiB
      host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:6514"
      ssl.enabled: true
      ssl.certificate: "/etc/filebeat/certificates/BunnyNet.crt"
      ssl.key: "/etc/filebeat/certificates/BunnyNet.key"
         ssl.verification_mode: none

      fields:
        logzio_codec: json

        # Your Logz.io account token. You can find your token at
        #  https://app.logz.io/#/dashboard/settings/manage-accounts
        token: <<LOG-SHIPPING-TOKEN>>
        type: bunny-net
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
    filebeat.registry.path: /var/lib/filebeat
    processors:
    - rename:
        fields:
        - from: "agent"
          to: "filebeat_agent"
        ignore_missing: true
    - rename:
        fields:
        - from: "log.file.path"
          to: "source"
        ignore_missing: true

    output.logstash:
      hosts: ["<<LISTENER-HOST>>:5015"]
      ssl:
        certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
    • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
    • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you're logged into the Logz.io app as an Admin. Manage your tokens.
    • Replace <<LISTENER-HOST>> with the host for your region.

  2. Run Filebeat with the new configuration.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type bunny-net to see the incoming Axonius logs.

If you still don't see your logs, see Filebeat troubleshooting.