Setup

Configuration tl;dr

Files
Sample configuration
Encryption certificate
Listener
Port 5015. For help finding your region’s listener URL, see Account region.
Default log locations
JSON (recommended): /var/ossec/logs/alerts/alerts.json
Plain text: /var/ossec/logs/alerts/alerts.log
Guided configuration

You’ll need: Filebeat 7 or Filebeat 6, root access

  1. Configure OSSEC for JSON alert output

    In the OSSEC configuration file (/var/ossec/etc/ossec.conf), find the <global> tag. Add the <jsonout_output> property and set to yes.

     <global>
       <jsonout_output>yes</jsonout_output>
     </global>
    

    Restart OSSEC.

     sudo /var/ossec/bin/ossec-control restart
    
  2. Download the Logz.io certificate

    For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

     sudo wget https://raw.githubusercontent.com/logzio/public-certificates/master/COMODORSADomainValidationSecureServerCA.crt -P /etc/pki/tls/certs/
    
  3. Add OSSEC as an input

    In the Filebeat configuration file (/etc/filebeat/filebeat.yml), add OSSEC to the filebeat.inputs section.

    Replace <ACCOUNT-TOKEN> with the token of the account you want to ship to.

     # Filebeat 7 configuration
    
     filebeat.inputs:
     - type: log
    
       paths:
       - /var/ossec/logs/alerts/alerts.json
    
       fields:
         logzio_codec: json
    
         # Your Logz.io account token. You can find your token at
         #  https://app.logz.io/#/dashboard/settings/manage-accounts
         token: <ACCOUNT-TOKEN>
         type: ossec
       fields_under_root: true
       encoding: utf-8
       ignore_older: 3h
    
     filebeat.registry.path: /var/lib/filebeat
     processors:
     - rename:
         fields:
         - from: "agent"
           to: "filebeat_agent"
         ignore_missing: true
     - rename:
         fields:
         - from: "log.file.path"
           to: "source"
         ignore_missing: true
    
     # Filebeat 6 configuration
    
     filebeat.inputs:
     - type: log
    
       paths:
       - /var/ossec/logs/alerts/alerts.json
    
       fields:
         logzio_codec: json
    
         # Your Logz.io account token. You can find your token at
         #  https://app.logz.io/#/dashboard/settings/manage-accounts
         token: <ACCOUNT-TOKEN>
         type: ossec
       fields_under_root: true
       encoding: utf-8
       ignore_older: 3h
    
     registry_file: /var/lib/filebeat/registry
    
  4. Add Logz.io as an output

    If Logz.io is not an output, add it now.

    Replace <LISTENER-URL> with your region’s listener URL. For more information on finding your account’s region, see Account region.

     output.logstash:
       hosts: ["<LISTENER-URL>:5015"]
       ssl:
         certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
    
  5. Restart Filebeat

     sudo systemctl restart filebeat
    
  6. Check Logz.io for your logs

    Give your logs some time to get from your system to ours, and then open Kibana.

    If you still don’t see your logs, see log shipping troubleshooting.