OpenVPN is a virtual private network system for secure point-to-point or site-to-site connections.

These instructions only apply to Linux and MacOS systems.

Before you begin, you’ll need:

  • An active account with Logz.io
  • OpenVPN Access Server installed
  • Filebeat installed on the same machine as OpenVPN Access Server
  • Root priveleges on your machines
Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Filebeat requires a file extension specified for the log input.

Paste the following into the inputs section of the Filebeat configuration file:

   filebeat.inputs:
   - type: filestream
     paths:
       - /var/log/openvpnas.log
       - /var/log/openvpnas.log.*
     fields:
       logzio_codec: json
       # Your Logz.io account token. You can find your token at
       #  https://app.logz.io/#/dashboard/settings/manage-accounts
       token: <<LOG-SHIPPING-TOKEN>>
       type: openvpn
     fields_under_root: true
     encoding: utf-8
     ignore_older: 3h
     multiline.type: pattern
     multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\+[0-9]{4} \[\S+\]( {2,}| \})'
     multiline.negate: false
     multiline.match: after
   filebeat.registry.path: /var/lib/filebeat
   processors:
   - rename:
       fields:
       - from: "agent"
         to: "beat_agent"
       ignore_missing: true
   - rename:
       fields:
       - from: "log.file.path"
         to: "source"
       ignore_missing: true
   output.logstash:
     hosts: ["<<LISTENER-HOST>>:5015"]
     ssl:
       certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

If you’re running Filebeat 7 to 8.1, paste the code block below instead:

   filebeat.inputs:
   - type: log
     paths:
       - /var/log/openvpnas.log
       - /var/log/openvpnas.log.*
     fields:
       logzio_codec: json
       # Your Logz.io account token. You can find your token at
       #  https://app.logz.io/#/dashboard/settings/manage-accounts
       token: <<LOG-SHIPPING-TOKEN>>
       type: openvpn
     fields_under_root: true
     encoding: utf-8
     ignore_older: 3h
     multiline.type: pattern
     multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\+[0-9]{4} \[\S+\]( {2,}| \})'
     multiline.negate: false
     multiline.match: after
   filebeat.registry.path: /var/lib/filebeat
   processors:
   - rename:
       fields:
       - from: "agent"
         to: "beat_agent"
       ignore_missing: true
   - rename:
       fields:
       - from: "log.file.path"
         to: "source"
       ignore_missing: true
   output.logstash:
     hosts: ["<<LISTENER-HOST>>:5015"]
     ssl:
       certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
  • Your Logz.io log shipping token directs the data securely to your Logz.io Log Management account. Manage your tokens.
  • Use the listener URL specific to the region where your Logz.io account is hosted. Click to look up your listener URL. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
Restart Filebeat to run it with the new configuration.
service filebeat restart
Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type openvpn to see the incoming OpenVPN logs.

If you still don’t see your logs, see Filebeat troubleshooting.