In this ELK walkthrough, we will use a simple deployment scenario of a Capsule8 Sensor deployed to a non-containerized Linux production server. If you have not already, see the Capsule8 Installation Guide for instructions on installing the Capsule8 Sensor in your deployment environment of choice.
We will be configuring the Capsule8 Sensor to log Alert data to a file called /var/log/capsule8-alerts.json with a simple program black list which will generate an Alert every time the program wget is run:
alert_output:
outputs:
- type: file
enabled: true
file: /var/log/capsule8-alerts.json
Wget Program Blacklist:
policy: program
enabled: true
alertMessage: Unauthorized Program Execution
priority: High
rules:
- match programName == "*/wget"
- default ignore
comments: Alert on usage of the wget command
This example discusses using Elastic’s Filebeat to ingest Capsule8 Alerts from a Capsule8 Sensor into Elastic Stack, which includes Kibana. It was written for Filebeat v7.0. To get started, follow the Filebeat installation guide and install it alongside the Capsule8 Sensor in a Linux test environment.
Once Filebeat is installed, follow the configuration guide to connect Filebeat’s output to Elasticsearch or Logstash depending on how you have your Elastic deployment configured. Now you can configure Filebeat’s input. Locate your system’s Filebeat configuration file and add an input:
filebeat.inputs:
- type: log
paths:
- /var/log/capsule8-alerts.json
json.keys_under_root: true
json.add_error_key: true
This will not only ingest Alerts but will also parse the JSON data for you so that the individual top-level Alert fields are easily indexed.
Restart Filebeat and you are done! Any Alerts generated on the server should now show up in your Elastic deployment. To generate an Alert with our example policy, run a wget command on your server. You should see a resulting Alert for Unauthorized Program Execution
Comments
0 comments
Please sign in to leave a comment.