Filebeat and Logstash XPLG Integration

XPLG’s architecture allows receiving data sent by logstash, using XPLG's logstash output.

When using an advanced topology there can be multiple filebeat/winlogbeat forwarders which send data into a centralized logstash. The logstash input is the filebeat/winlogbeat forwarder(s) output. The logstash output is forwarded to XPLG Listener(s).

There are options to push data over HTTP/S and in some cases  over SysLog.

Topology:

To set up a full forwarding system to XPLG there is a need to set a central Logstash forwarder in the same XPLG server and Filebeat forwarder on each machine (Windows/Mac/Linux/Docker). In case of a windows machine, forwarding Windows Events Logs requires a different forwarder - winlogbeat.

you may follow these footsteps:

1. Browse to XPLG and set an HTTP listener according to the guideline in the article: HTTP/S
   Remarks: 
   Expand the advanced settings and
   
   

   1. In cluster topology, set listening node to 'ALL'

   2. Copy the listener URL for later use when setting the logstash

   3. Set split by Source Device to 'Create log by unique IP / host name'

   4. Set JSON Parsing Level to 1

   5. Once saving the configuration verify that the listener status is 'Running'. If needed start it

2. Prepare relevant templates for the log patterns in XPLG:

   • For Windows Events Logs it is mandatory that you import the following templates: Windows-Events-Templates.zip. To import the templates to XPLG enter XPLG Manager> Left Navigation Panel> Data> Patterns> Import Template > Choose the file & press Next.

   • For other Logs - it is suggested that you prepare templates in advance but it is not mandatory (template name is case sensitive and must match the name of the pattern set in the  exported logs in Filebeat Forwarder(s)).  

3. Enter the designated server for the logstash installation. It should be locally in the same server as XPLG is installed upon (In cluster mode consult with XPLG Support Team which node should it be installed upon). Then set the logstash according to guidelines described at the article Setting Up a Logstash Forwarder

4. Set up filebeat forwarder(s) according to the guidelines described at the article Setting Up a Filebeat Forwarder.

5. Set up Winlogbeat forwarder(s) according to the guidelines described at the articleSetting up Winlogbeat Frowarder.

Once all is set according to the guidelines enter XPLG> Folders and logs. All the forwarder logs should be created automatically under the Folders&Logs Tree according to the following topology:

FOLDERS&LOGS