BUNNY.NET is a content delivery network offering features and performance with a fast global network. This document describes how to send system logs from your bunny.net pull zones to Logz.io.
Before you begin, you’ll need:
- An active account with bunny.net
- An active account with Logz.io
- Filebeat installed on your machine
- Root priveleges on your machines
Configure bunny.net to send syslog notifications to a remote Syslog server running Filebeat
- Log in to your bunny.net account and navigate to the details page of the Pull Zone that you need to select logs from.
- On the left side panel, select Security > Logging.
- Make sure the switches for Enable logging and Enable log forwarding are on.
- In the Syslog Endpoint section, enter the IP address of your remote syslog server into the Hostname field. This is the server where you run Filebeat.
- Enter the port number into the Port field.
- Select UDP from the Log Server Protocol menu.
- Select Plain text from the Log Format menu.
- Select Save Forwarding Configuration.
By default, syslog will be forwarded over port 6514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.
Install the bunny.net certificate on your Filebeat server
Bunny.net sends encrypted data, so you’ll need to create a dedicated bunny.net certificate to decrypt the logs by the Filebeat server.
sudo mkdir /etc/filebeat/certificates sudo openssl req -newkey rsa:2048 -nodes \ -keyout /etc/filebeat/certificates/BunnyNet.key -x509 \ -days 365 \ -out /etc/filebeat/certificates/BunnyNet.crt
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Filebeat requires a file extension specified for the log input.
Paste the following into the inputs section of the Filebeat configuration file:
filebeat.inputs: - type: udp max_message_size: 10MiB host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:6514" ssl.enabled: true ssl.certificate: "/etc/filebeat/certificates/BunnyNet.crt" ssl.key: "/etc/filebeat/certificates/BunnyNet.key" ssl.verification_mode: none fields: logzio_codec: json # Your Logz.io account token. You can find your token at # https://app.logz.io/#/dashboard/settings/manage-accounts token: <<LOG-SHIPPING-TOKEN>> type: bunny-net fields_under_root: true encoding: utf-8 ignore_older: 3h filebeat.registry.path: /var/lib/filebeat processors: - rename: fields: - from: "agent" to: "filebeat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>with the address of your server running Filebeat.
- Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
- Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
Run Filebeat with the new configuration.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type
bunny-net to see the incoming Axonius logs.
If you still don’t see your logs, see Filebeat troubleshooting.