Ingest Logs from Elasticsearch Filebeat
Cortex XDR can ingest logs from Elasticsearch Filebeat, a file system logger that logs file activity on your endpoints and servers.
Ingesting logs and data requires a Cortex XDR Pro per TB license.
If you want to ingest logs about file activity on your endpoints and servers and do not use the Cortex XDR agent, you can install Elasticsearch* Filebeat as a system logger and then forward those logs to Cortex XDR. To facilitate log ingestion, Cortex XDR supports the same protocols that Filebeat and Elasticsearch use to communicate.
To provide additional context during investigations, Cortex XDR automatically creates a new XQL dataset from your Filebeat logs. You can then use the XQL dataset to search across the logs Cortex XDR received from Filebeat.
To receive logs, you configure collection settings for Filebeat in Cortex XDR and output settings in your Filebeat installations. As soon as Cortex XDR begins receiving logs, the data is visible in XQL Search queries.
- In Cortex XDR, set up Log Collection.
- Select.SettingsCustom Collections
- In the Filebeat configuration, click theherelink.
- Enter a descriptiveNamefor your Filebeat log collection configuration.
- Enter theVendorandProductfor the type of logs you are ingesting.The vendor and product are used to define the name of your XQL dataset (). If you do not define a vendor or product, Cortex XDR examines the log header to identify the type and uses that to define the vendor and product in the dataset. For example, if the type is Acme and you opt to let Cortex XDR determine the values, the dataset name would be<vendor>_<product>_rawacme_acme_raw.
- Save & Generate Token.Click the copy icon next to the key and record it somewhere safe. You will need to provide this key when you set up output settings on your Filebeat instance. If you forget to record the key and close the window you will need to generate a new key and repeat this process.
- Set up Filebeat to forward logs.After installing the Filebeat agent, configure an Elasticsearch output:
After Cortex XDR begins receiving logs from Filebeat, they will be available in XQL Search queries.
- Under theoutput.elasticsearchsection, configure the following entities:
- hosts—Copy the API URL from your Filebeat configuration and paste it in this field.
- compression level—5 (recommended)
- bulk_max_size—1000 (recommended)
- API Key—Paste the key you created in when you configured Filebeat Log Collection in Cortex XDR.
- Save the changes to your output file.
- (Optional) Monitor your Filebeat integration.You can return to thepage to monitor the status of your Filebeat configuration. For each instance, Cortex XDR displays the number of logs received in the last hour, day, and week. You can also use the Data Ingestion Dashboard to view general statistics about your data ingestion configurations.SettingsCustom Collections
- (Optional) Set up alert notifications to monitor the following events:
- A Filebeat agent status changes to disconnected.
- A Filebeat module has stopped sending logs.
Elasticsearch is a trademark of Elasticsearch B.V., registered in the U.S. and in other countries.
Recommended For You
Recommended videos not found.