How injest darktrace SysLog Json to FIlebeat / Elasticseach

[yari arcopinto]

Hello team,

I'm new on ELK Stack System, so i want to apologize if my questions will be stupid.

I have installed succeffully the ELK stack system on a my server, and i have installed the agents on all my server. All is working fine.

Now i have to receive into Elastick the alerts generated from Darktrace, so i have set the IP (of the manager) and the Port (where filebeat is listen) and have set to sent the alerts as Syslog Json.

So i have opened and config the Filebeat.yml setting:

filebeat.inputs: - type: syslog format: auto protocol.0.tcp: host: ["172.18.17.8:514"]

Saved and restarted filebeat.service. Running

Filebeat -e

I got no error.
So i tried to sent a "sample alert" from darktrace (that have confirmed the succfully sent and the firewall have confirmed it too) but i don't see it in the event into Elastic search dashboard, in /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/archive/archive.log

By the way, ONLY for this alerts (darktrace alerts), i tried to configure a new index into filebeat.yml setting:

setup.ilm.enabled: false setup.template.overwrite: true output.elasticsearch: hosts: ["127.0.0.1:9200"] index: "darktrace-%{[agent.version]}-%{+yyyy.MM.dd}" username: "****" password: "**********" setup.template: name: 'darktrace' pattern: 'darktrace-*' enabled: false

but i looking into Elastick > Stack Managment > Index , it isn't present.

Thanks in advance for your support.

[Eric Franco Fahnle]

Hi Yari! Hope you're doing great and thanks for using Wazuh!

Have you confirmed that filebeat is receiving data? You could try with a netcat: 
echo -n "test message" | nc -4uv -w1 <server_IP> 514

Or maybe with the logger command:

https://man7.org/linux/man-pages/man1/logger.1.html

You can also check this page of the docs to see if filebeat is working correctly: https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html

And run this command:

filebeat test output

Thanks!

Eric

[yari arcopinto]

Hello Eric, 

Yes Filebeate is able to comunicate witht the server:

DWH3:~$ echo -n "test message" | nc -4uv -w1 172.18.17.8 514
Connection to 172.18.17.8 514 port [udp/syslog] succeeded!

[Eric Franco Fahnle]

Hi Yari!

Have you seen this integration guide on Elastic? https://docs.elastic.co/integrations/darktrace#

I'm not sure that the integration is done as a syslog input from filebeat, but rather configured on Darktrace's end. I cannot access Darktrace's docs to confirm, but it looks like you have to configure it they other way round. Please see the link above.

Regards,

Eric

[yari arcopinto]

Hello Eric, 

The situation is: 

• Manager and Filebeat installed on f.e. Server1
• Darktrace installed on VM on f.e. Server 4
• An agent installed on VM Server 4 too

So when in the document it say related to the Darktrace configuration side : "Enter the IP Address  and Port of the Elastic Agent that is running the integration in the Server and Server Port field respectively." it is referring to the IP and Port address of Filebeat, or to the IP and Port address of the Agent installed on the same server server where is installed DarkTrace too?  

I tried to: 

• Add to Darktrace the Address IP and Port of the Filebeat
• Add to Filebeat.yml the following command: 

filebeat.inputs: 

- type: syslog 

format: auto 

protocol.0.tcp: host: ["172.18.17.8:514"]

Where the 172.18.17.8:514 are the IP address and Port related to the server where is installed Dark trace. 

But with this configuration , the manager don't receive the alert sent by Darktrace (i followed this conversation: https://discuss.elastic.co/t/how-injest-darktrace-syslog-json-to-filebeat-elasticseach/336676)

Thanks in advance for your support 

[yari arcopinto]

EDIT: the agent on the VM server 4 , is not present. 

[Eric Franco Fahnle]

Hi Yari! 

If I'm not mistaken, you must provide a VM with an agent in order to ingest those logs. I believe the agent can run on the same VM as your darktrace server, or you could use a separate one. Once the agent is there, the IP address and Port you must complete in Darktrace are the ones corresponding to the agent. Please take a look at Elastic's guide on Integration: https://www.elastic.co/guide/en/observability/current/logs-metrics-get-started.html

Lastly, are you sure that syslog is running on that TCP port (514)? By default syslog uses UDP 514, and in a previous message you tested connectivity with the command I provided, and it was also UDP (note the "-u" switch).

DWH3:~$ echo -n "test message" | nc -4uv -w1 172.18.17.8 514
Connection to 172.18.17.8 514 port [udp/syslog] succeeded!

Let me know how that goes.

Regards!

Eric

[yari arcopinto]

I were installing the ELK 8.8 version. 

But i have see that Wazuh is not compatible, so i'm rolling back.

I will try to add the agent to the same server of Darktrace and i will let you know.

[yari arcopinto]

Hello Eric, 

Just for my information. If previous message you said "you have to install an agent on the same server of Darktrace", but the Darktrace works with a proprietary operating system. So which type of agent i should install? I mean linux, windows etc..

Thanks in advance.

[Eric Franco Fahnle]

Hi Yari!

Oh, my bad then, I assumed it ran on a default OS. Then you should probably install the agent in a different server with an OS of your choice.

Regards!

Eric