Skip to main content

OpenVAS

OpenVAS (Open Vulnerability Assessment System) is an open source vulnerability scanner. The following instructions show you how to configure Filebeat to send OpenVAS reports to Logz.io.

Once you start sending OpenVAS reports to your Cloud SIEM, you'll be able to review events triggered by preconfigured OpenVAS security rules and dashboards.

Step by step

Before you begin, you'll need:

Download the Logz.io public certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous content. (You want to replace the file's content with this code block.)

This code block adds OpenVAS as an input and sets Logz.io as the output.

note

Filebeat requires a file extension specified for the log input.

# ...
filebeat.inputs:

- type: filestream
paths:
- <<FILEPATH-TO-OPENVAS-REPORTS>>/*.csv
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: openvas
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
negate: true
match: after

#...
output:
logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

If you're running Filebeat 7 to 8.1, paste the code block below instead:

# ...
filebeat.inputs:

- type: log
paths:
- <<FILEPATH-TO-OPENVAS-REPORTS>>/*.csv
fields:
logzio_codec: plain
token: <<LOG-SHIPPING-TOKEN>>
type: openvas
fields_under_root: true
encoding: utf-8
ignore_older: 3h
multiline:
pattern: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
negate: true
match: after

#For version 6.x and lower
#filebeat.registry_file: /var/lib/filebeat/registry

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat

#The following processors are to ensure compatibility with version 7
processors:
- rename:
fields:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source"
ignore_missing: true

#...
output:
logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

  • Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

  • Replace <<LISTENER-HOST>> with the host for your region.

  • Replace the filepath placeholder <<FILEPATH-TO-OPENVAS-REPORTS>> with the file path to the folder where you’ll be keeping your OpenVAS reports. For example, /home/kali/Downloads/Filebeat_read/*.csv will look for any file with a csv extension under that path.

note

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Filebeat is now configured to send OpenVAS CSV reports directly to Logz.io.

Generate a CSV report in OpenVAS

OpenVAS reports are typically generated manually, as needed.

After completing a scan in OpenVAS, perform the following steps to generate a CSV report.

  1. Click the Scans tab, then select Reports.

  2. Select a report from the list of results.

  3. The report summary will open. Select CSV Results from the drop-down menu (top left corner) and click the download option (It's the green arrow ⬇️.

    OpenVAS image

  4. The CSV file will be downloaded to the default Downloads path set for your Web browser. If your Filebeat is configued to read reports from another folder, you can manually copy OpenVAS reports to another folder or change the browser's default Downloads path.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.