The purpose of this document is to help with configuring and troubleshooting using TLS on the connection between Beats and Logstash.
You must configure TLS on both the client and server to make this work. This
# Installs golang on Windows. | |
# | |
# # Run script: | |
# .\install-go.ps1 -version 1.5.3 | |
# | |
# # Download and run script: | |
# $env:GOVERSION = '1.5.3' | |
# iex ((new-object net.webclient).DownloadString('SCRIPT_URL_HERE')) | |
Param( | |
[String]$version, |
// Beats TLS configuration options. | |
package tls | |
$version: "v8.14.0" | |
#base64String: =~"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$" | |
#hexSHA256: =~"^[a-fA-F0-9]{64}$" | |
#pemCerts: =~"^(?:(?:-+BEGIN CERTIFICATE-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END CERTIFICATE-+\\s*))+$" |
1348870236.160 0 192.168.0.35 TCP_DENIED/403 3293 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html | |
1348870236.273 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html | |
1348870236.386 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html | |
1348870236.499 0 192.168.0.35 TCP_DENIED/403 3274 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.5.2/misc/AcrobatUpd952_all_incr.msp - NONE/- text/html | |
1348870237.550 0 192.168.0.35 TCP_DENIED/403 3269 GET http://armdl.adobe.com/pub/adobe/acrobat/win/9.x/9.4.6/misc/AcrobatUpd946_all_incr.msp - NONE/- text/html | |
1348870274.248 59875 192.168.0.35 TCP_MISS/503 0 CONNECT client84.dropbox.com:443 - DIRECT/- - | |
1348870284.249 59872 192.168.0.35 TCP_MISS/503 0 CONNECT client62.dropbox.com:443 - DIRECT/- - | |
1348870 |
#include <windows.h> | |
#include <stdio.h> | |
int ProcessBlock(MESSAGE_RESOURCE_DATA* data, MESSAGE_RESOURCE_BLOCK* block) | |
{ | |
MESSAGE_RESOURCE_ENTRY* entry = (MESSAGE_RESOURCE_ENTRY*) ((unsigned char*)data + block->OffsetToEntries); | |
for (DWORD id = block->LowId; id <= block->HighId; id++) | |
{ | |
if (entry->Flags == 0x0001) // wide char | |
printf("%d, %ls", id, entry->Text); |
--- | |
filebeat.inputs: | |
# Consume output from | |
# evtx_dump --dont-show-record-number -o xml <file.evtx> > /tmp/samples/file.evtx.xml | |
# See https://github.com/omerbenamram/evtx. | |
- type: filestream | |
id: evtx_dump_xml | |
parsers: | |
- multiline: |
filebeat.inputs: | |
- host: localhost:9514 | |
id: udp-extrahop-cef-9514 | |
type: udp | |
processors: | |
- convert: | |
mode: copy | |
fields: | |
- { from: "message", to: "event.original" } |
--- | |
filebeat.inputs: | |
- type: cel | |
id: config-123-watcher | |
interval: 1m | |
resource: | |
url: file:///etc/conf.d/foo.conf | |
program: | | |
file(state.url).as(content, content.sha256().hex().as(hash, { |
filebeat.inputs: | |
- type: journald | |
processors: | |
# For https://kubernetes.io/docs/concepts/cluster-administration/system-logs/#json-log-format | |
- if: | |
and: | |
- equals.journald.process.name: kubelet | |
- regexp.message: '^{' | |
then: | |
# 'kubelet' should be mapped as a flattened field in ES because |
800, AntiVirus | |
801, AntiSpyware | |
802, Antimalware | |
803, Full | |
804, Delta | |
805, Full Scan | |
806, Quick Scan | |
807, Custom Scan | |
808, Remove | |
809, Quarantine |