Before you begin, you’ll need:
- SentinelOne installed
- Root access
Install the SentinelOne certificate on your Filebeat server
SentinelOne sends encrypted data, so you’ll need to create a dedicated SentinelOne certificate to decrypt the logs by the Filebeat server.
sudo mkdir /etc/filebeat/certificates sudo openssl req -newkey rsa:2048 -nodes \ -keyout /etc/filebeat/certificates/SentinelOne.key -x509 \ -days 365 \ -out /etc/filebeat/certificates/SentinelOne.crt
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor. Copy and paste the code block below, overwriting the previous contents. (You want to replace the file’s contents with this code block.)
This code block adds SentinelOne as an input and sets Logz.io as the output.
# ... Filebeat inputs filebeat.inputs: - type: tcp max_message_size: 10MiB host: "0.0.0.0:9000" fields: logzio_codec: json token: <<LOG-SHIPPING-TOKEN>> type: sentinel_one fields_under_root: true filebeat.registry.path: /var/lib/filebeat #The following processors are to ensure compatibility with version 7 processors: - rename: fields: - from: "agent" to: "beat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true ### Outputs output: logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Replace the placeholders to match your specifics. (They are indicated by the double angle brackets
<<LOG-SHIPPING-TOKEN>>with the token of the account you want to ship to.
<<LISTENER-HOST>>with the host for your region. For example,
listener.logz.ioif your account is hosted on AWS US East, or
listener-nl.logz.ioif hosted on Azure West Europe.
Replace the host port with your syslog port details. The above example has
host: "0.0.0.0:9000"but you should change it to your specifics.
One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.
Start or restart Filebeat for the changes to take effect.
Configure SentinelOne to send logs to Logzio
Open the SentinelOne Admin Console. Configure SentinelOne to send logs to your Syslog server.
- Select your site.
- In the left side menu, click the slider icon [⊶] to open the Settings menu.
- Open the INTEGRATIONS tab, and fill in the details:
- Under Types, select SYSLOG.
- Toggle the button to enable SYSLOG.
- Host - Enter your public SYSLOG server IP address and port.
- Formatting - Select CEF2.
- Save your changes.
Configure SentinelOne to send notifications
In the same screen, open the NOTIFICATIONS tab, and fill in the details:
Under Notification Types, check all options under Syslog notifications.
We recommend enabling all notification options to send Syslog logs. Still, it is optional. Note that if you leave some Syslog notification options disabled, it may interfere with Logz.io’s detection rules.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
If you still don’t see your logs, see log shipping troubleshooting.