OpenVAS

OpenVAS (Open Vulnerability Assessment System) is an open source vulnerability scanner. The following instructions show you how to configure Filebeat to send OpenVAS reports to Logz.io.

Once you start sending OpenVAS reports to your Cloud SIEM, you'll be able to review events triggered by preconfigured OpenVAS security rules and dashboards.

Step by step

Before you begin, you'll need:

Filebeat
Root access
OpenVAS

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous content. (You want to replace the file's content with this code block.)

This code block adds OpenVAS as an input and sets Logz.io as the output.

note

Filebeat requires a file extension specified for the log input.

# ...
filebeat.inputs:

- type: filestream
  paths:
    - <<FILEPATH-TO-OPENVAS-REPORTS>>/*.csv
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: openvas
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
    pattern: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
    negate: true
    match: after

#...
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

If you're running Filebeat 7 to 8.1, paste the code block below instead:

# ...
filebeat.inputs:

- type: log
  paths:
    - <<FILEPATH-TO-OPENVAS-REPORTS>>/*.csv
  fields:
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: openvas
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
  multiline:
    pattern: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
    negate: true
    match: after

#For version 6.x and lower
#filebeat.registry_file: /var/lib/filebeat/registry

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat

#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true

#...
output:
  logstash:
    hosts: ["<<LISTENER-HOST>>:5015"]
    ssl:
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe.
Replace the filepath placeholder <<FILEPATH-TO-OPENVAS-REPORTS>> with the file path to the folder where you’ll be keeping your OpenVAS reports. For example, /home/kali/Downloads/Filebeat_read/*.csv will look for any file with a csv extension under that path.

note

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Filebeat is now configured to send OpenVAS CSV reports directly to Logz.io.

Generate a CSV report in OpenVAS

OpenVAS reports are typically generated manually, as needed.

After completing a scan in OpenVAS, perform the following steps to generate a CSV report.

Click the Scans tab, then select Reports.
Select a report from the list of results.
The report summary will open. Select CSV Results from the drop-down menu (top left corner) and click the download option (It's the green arrow ⬇️.
The CSV file will be downloaded to the default Downloads path set for your Web browser. If your Filebeat is configued to read reports from another folder, you can manually copy OpenVAS reports to another folder or change the browser's default Downloads path.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.

Step by step​

Download the Logz.io public certificate to your credentials server​

Configure Filebeat​

Start Filebeat​

Generate a CSV report in OpenVAS​

Check Logz.io for your logs​