BUNNY.NET is a content delivery network offering features and performance with a fast global network. This document describes how to send system logs from your bunny.net pull zones to Logz.io.

Before you begin, you’ll need:

  • An active account with bunny.net
  • An active account with Logz.io
  • Filebeat installed on your machine
  • Root priveleges on your machines
Configure bunny.net to send syslog notifications to a remote Syslog server running Filebeat
  1. Log in to your bunny.net account and navigate to the details page of the Pull Zone that you need to select logs from.
  2. On the left side panel, select Security > Logging.
  3. Make sure the switches for Enable logging and Enable log forwarding are on.
  4. In the Syslog Endpoint section, enter the IP address of your remote syslog server into the Hostname field. This is the server where you run Filebeat.
  5. Enter the port number into the Port field.
  6. Select UDP from the Log Server Protocol menu.
  7. Select Plain text from the Log Format menu.
  8. Select Save Forwarding Configuration. Bunny

By default, syslog will be forwarded over port 6514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Install the bunny.net certificate on your Filebeat server

Bunny.net sends encrypted data, so you’ll need to create a dedicated bunny.net certificate to decrypt the logs by the Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/BunnyNet.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/BunnyNet.crt
Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Filebeat requires a file extension specified for the log input.

  1. Paste the following into the inputs section of the Filebeat configuration file:

    - type: udp
      max_message_size: 10MiB
      host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:6514"
      ssl.enabled: true
      ssl.certificate: "/etc/filebeat/certificates/BunnyNet.crt"
      ssl.key: "/etc/filebeat/certificates/BunnyNet.key"
         ssl.verification_mode: none
        logzio_codec: json
        # Your Logz.io account token. You can find your token at
        #  https://app.logz.io/#/dashboard/settings/manage-accounts
        token: <<LOG-SHIPPING-TOKEN>>
        type: bunny-net
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
    filebeat.registry.path: /var/lib/filebeat
    - rename:
        - from: "agent"
          to: "filebeat_agent"
        ignore_missing: true
    - rename:
        - from: "log.file.path"
          to: "source"
        ignore_missing: true
      hosts: ["<<LISTENER-HOST>>:5015"]
        certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
    • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
    • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
    • Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
  2. Run Filebeat with the new configuration.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards. You can filter for data of type bunny-net to see the incoming Axonius logs.

If you still don’t see your logs, see Filebeat troubleshooting.