OpenVAS (Open Vulnerability Assessment System) is an open source vulnerability scanner. The following instructions show you how to configure Filebeat to send OpenVAS reports to

Once you start sending OpenVAS reports to your Cloud SIEM, you’ll be able to review events triggered by pre-configured OpenVAS security rules and dashboards.

Step by step

Before you begin, you’ll need:

Download the public certificate to your credentials server

For HTTPS shipping, download the public certificate to your certificate authority folder.

sudo curl --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous contents. (You want to replace the file’s contents with this code block.)

This code block adds OpenVAS as an input and sets as the output.

# ...

- type: log
    logzio_codec: plain
    token: <<LOG-SHIPPING-TOKEN>>
    type: openvas
  fields_under_root: true
  encoding: utf-8
  ignore_older: 3h
    pattern: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}'
    negate: true
    match: after

#For version 6.x and lower
#filebeat.registry_file: /var/lib/filebeat/registry

#For version 7 and higher
filebeat.registry.path: /var/lib/filebeat

#The following processors are to ensure compatibility with version 7
- rename:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true

    hosts: ["<<LISTENER-HOST>>:5015"]
      certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

If you’re running Filebeat 8.1+, the type of the filebeat.inputs is filestream instead of logs:

- type: filestream
    - /var/log/*.log

Replace the placeholders to match your specifics. (They are indicated by the double angle brackets << >>):

  • Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

  • Replace <<LISTENER-HOST>> with the host for your region. For example, if your account is hosted on AWS US East, or if hosted on Azure West Europe.

  • Replace the filepath placeholder <<FILEPATH-TO-OPENVAS-REPORTS>> with the file path to the folder where you’ll be keeping your OpenVAS reports. For example, /home/kali/Downloads/Filebeat_read/*.csv will look for any file with a csv extension under that path.

One last validation - make sure is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Filebeat is now configured to send OpenVAS CSV reports directly to

Generate a CSV report in OpenVAS

OpenVAS reports are typically generated manually, as needed.

After completing a scan in OpenVAS, perform the following steps to generate a CSV report.

  1. Click the Scans tab, then select Reports.
  2. Select a report from the list of results.
  3. The report summary will open. Select CSV Results from the drop-down menu (top left corner) and click the download option (It’s the green arrow ⬇️.

    OpenVAS image

  4. The CSV file will be downloaded to the default Downloads path set for your Web browser. If your Filebeat is configued to read reports from another folder, you can manually copy OpenVAS reports to another folder or change the browser’s default Downloads path.
Check for your logs

Give your logs some time to get from your system to ours, and then open Kibana.

If you still don’t see your logs, see log shipping troubleshooting.