The Elastic SIEM Provider

At this time, CloudBolt does not currently support an Elastic SIEM Provider in the same manner as Splunk. However, Elastic and its log shipper, Filebeat, are wonderful tools that you can easily integrate into your CloudBolt workflow. This document will walk you through installing and configuring Filebeat on your CloudBolt server.

Visit Elastic’s website for additional information on getting started with Filebeat.

Installation

  1. ssh in to your CloudBolt servers as the root user.
  2. Install Filebeat using the yum package manager or by downloading and installing the rpm package.

Configuration

Filebeat is configured via a single .yml file, located at /etc/filebeat/filebeat.yml. Included below is an example .yml configured to monitor all of CloudBolt’s log files, which only requires you to replace your Elasticsearch and Kibana credentials. If you use Elastic Cloud, or need to configure other settings, please reference the Filebeat documentation.

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/cloudbolt/application.log
    - /var/log/cloudbolt/authentication.log
    - /var/log/cloudbolt/jobs/....log
    - /var/log/cloudbolt/jobengine.log
    - /var/log/cloudbolt/jobengine-worker....log
output.elasticsearch:
  hosts: ['{{elasticsearch_hostname}}:{{elasticsearch_port}}']
  username: '{{elasticsearch_username}}'
  password: '{{elasticsearch_password}}'
setup.kibana:
  host: '{{kibana_hostname}}:{{kibana_port}}'
  username: '{{kibana_username}}'
  password: '{{kibana_password}}'

Filebeat and Upgrading CloudBolt

Filebeat does not need to be reinstalled after upgrading CloudBolt, however, in some cases, upgrading CloudBolt may cause the Filebeat service to stop until it is manually restarted. To restart Filebeat, use the following command:

service filebeat start