- Docker
- Clone this repository
git clone https://github.com/dariommr/logstash-lab.git
cd logstash-lab- Build the images
docker build -t logstash-lab logstash/.
docker build -t logstash-lab filebeat/.- Modify the
docker-compose.ymlfile to configure theINDEXER_IP,LOGSTASH_KS_USER,LOGSTASH_KS_PASSenvironment variables. - Copy the
root-ca.pemcertificate from the Wazuh Indexer (or Filebeat) certificate folder to this folder.
scp user@indexer-ip:/etc/wazuh-indexer/certs/root-ca.pem .- Run
docker compose up -dto start the containers
- Execute bash in interactive mode in the Filebeat docker container
docker exec -ti logstash-lab-filebeat-1 bash- Once inside the container you can test it by running this command:
echo '{"timestamp":"2023-07-27T13:00:00.000-0300","rule":{"level":9,"description":"Logstash Test Alert","id":"999999","firedtimes":99,"mail":false,"groups":["logstash-test"]},"agent":{"id":"999","name":"NO-AGENT","ip":"1.2.3.4"},"manager":{"name":"no-manager"},"id":"1690476900.3546161","cluster":{"name":"no-cluster","node":"node01"},"decoder":{"name":"json"},"data":{"logstash-test":{"object-field":{"Subfield01":"value01","Subfield02":"value02"},"text-field":"value","numeric-field":"9.9","boolean-field":true}},"location":"logstash-test"}' >>input.jsonThis will add a json line to the input.json file which is read by the Filebeat service and sent to the Logstash container.
What you should see on the indexer:
