Axonius is a cybersecurity asset management platform. This topic describes how to send system logs from your Axonius platform to Logz.io.

Before you begin, you’ll need:

  • An active account with Axonius
  • An active account with Logz.io
  • Filebeat 7 installed on your machine
  • Root priveleges on your machines
Configure Axonius to send syslog notifications to a remote Syslog server running Filebeat
  1. On your Axonius web interface, go to System Settings > Global Settings > Syslog Settings. Axonius
  2. Select Use Syslog.
  3. Enter the IP address of your remote syslog server into the Syslog host field. This is the server where you run Filebeat.
  4. Enter the port number into the Port field.
  5. Select UDP in the Protocol menu.

By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat
  1. Paste the following into the inputs section of the Filebeat configuration file:

    filebeat.inputs:
    - type: udp
      max_message_size: 10MiB
      host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514"
      fields:
        logzio_codec: plain
        # Your Logz.io account token. You can find your token at
        #  https://app.logz.io/#/dashboard/settings/manage-accounts
        token: <<LOG-SHIPPING-TOKEN>>
        type: axonius
      fields_under_root: true
      encoding: utf-8
      ignore_older: 3h
    filebeat.registry.path: /var/lib/filebeat
    processors:
    - rename:
        fields:
        - from: "agent"
          to: "filebeat_agent"
        ignore_missing: true
    - rename:
        fields:
        - from: "log.file.path"
          to: "source"
        ignore_missing: true
    output.logstash:
      hosts: ["<<LISTENER-HOST>>:5015"]
      ssl:
        certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
    
    • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
    • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. The default token is auto-populated in the examples when you’re logged into the Logz.io app as an Admin. Manage your tokens.
    • Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL.
  2. Run Filebeat with the new configuration.

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type axonius to see the incoming Axonius logs.

If you still don’t see your data, see log shipping troubleshooting.