Filebeat vs LogStash
123 views
Skip to first unread message
henry valz
Apr 21, 2023, 10:40:20 AM4/21/23
to Wazuh mailing list
Hola, pueden explicarme alguien la diferencia entre estos dos:
- Filebeat
- Logstash
Para que sirven cada uno de ellos y si ambos vienen integrados cuando se realiza la instalación de wazuh en una sola instancia o modo stand alone.
Gracias.
henry valz
Apr 21, 2023, 10:54:34 AM4/21/23
to Wazuh mailing list
Así mismo también podrías aclararme esta duda:
¿Que componente en wazuh es el que realiza la comparación contra MITTRE&ATK para determinar si un evento es identificado y como tal asígnado el ID de MITTRE?
Mariano Koremblum
Apr 21, 2023, 12:04:08 PM4/21/23
to Wazuh mailing list
Hi Henry
First of all, our support is provided in English, so our whole community can take profit from it, so I will proceed to answer in such a language, if you can't understand, please, let us know.
First of all, our support is provided in English, so our whole community can take profit from it, so I will proceed to answer in such a language, if you can't understand, please, let us know.
Filebeat is an open-source tool developed by Elastic that is used to
send logs/events/data to predefined destinations and it is one of the
recommended tools for event collection by Wazuh. Although Filebeat is
not a Wazuh product, the integral Wazuh security solution includes a
preconfigured integration of Filebeat that is used for alert collection.
This integration is specifically designed to work along with
Wazuh, which simplifies the work that the user has to do.
Therefore, Filebeat is an essential part of the toolset offered by Wazuh
for security and event management. Filebeat is ideal for smaller, simpler environments where only log data forwarding is required.
Logstash could also be used for event collection in combination with Wazuh. Logstash is more suitable for complex, larger-scale environments that require greater customization and flexibility in the data processing. This is because it allows for processing and enriching events from different sources before sending them to a specific destination.
Then the main difference between Filebeat and Logstash is that Filebeat focuses on collecting and forwarding data to a specific destination for further processing, while Logstash offers a wide range of transformations and filters for processing data from different formats and sources before sending them to a specific destination.
In summary, both Filebeat and Logstash can be used to collect Wazuh alerts and visualize them on the dashboard. Filebeat is a lighter tool and is more suitable for smaller and simpler environments. On the other hand, Logstash is a more complex tool that, due to its complexity, requires higher hardware resources and is more difficult to configure. In general, if only collecting alerts for visualization on the dashboard is needed, the integration of pre-configured Filebeat in Wazuh would be the recommended option. If processing events from different sources and enriching them before presenting them on the web interface is needed, Logstash could be used.
Analysisd is the module in charge to process the logs, part of its work is to match the MITTRE&ATK tactics and assign its ID to the events. For more information, I recommend you reading the following links:
- https://documentation.wazuh.com/current/user-manual/ruleset/mitre.html
- https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html
Best Regards,
Mariano Koremblum
Logstash could also be used for event collection in combination with Wazuh. Logstash is more suitable for complex, larger-scale environments that require greater customization and flexibility in the data processing. This is because it allows for processing and enriching events from different sources before sending them to a specific destination.
Then the main difference between Filebeat and Logstash is that Filebeat focuses on collecting and forwarding data to a specific destination for further processing, while Logstash offers a wide range of transformations and filters for processing data from different formats and sources before sending them to a specific destination.
In summary, both Filebeat and Logstash can be used to collect Wazuh alerts and visualize them on the dashboard. Filebeat is a lighter tool and is more suitable for smaller and simpler environments. On the other hand, Logstash is a more complex tool that, due to its complexity, requires higher hardware resources and is more difficult to configure. In general, if only collecting alerts for visualization on the dashboard is needed, the integration of pre-configured Filebeat in Wazuh would be the recommended option. If processing events from different sources and enriching them before presenting them on the web interface is needed, Logstash could be used.
Analysisd is the module in charge to process the logs, part of its work is to match the MITTRE&ATK tactics and assign its ID to the events. For more information, I recommend you reading the following links:
- https://documentation.wazuh.com/current/user-manual/ruleset/mitre.html
- https://documentation.wazuh.com/current/user-manual/reference/daemons/wazuh-analysisd.html
Best Regards,
Mariano Koremblum
Mariano Koremblum
Apr 21, 2023, 12:06:28 PM4/21/23
to Wazuh mailing list
There is also a youtube video on the Elastic channel that you may find interesting to watch and it is in spanish:
https://www.youtube.com/watch?v=kwpTEyqELKA&ab_channel=OfficialElasticCommunity
https://www.youtube.com/watch?v=kwpTEyqELKA&ab_channel=OfficialElasticCommunity
Reply all
Reply to author
Forward
0 new messages