Getting Alerts via ELK (Elastic Stack)
In this ELK walkthrough, we will use a simple deployment scenario of a Capsule8 Sensor deployed to a non-containerized Linux production server. If you have not already, see the Capsule8 Installation Guide for instructions on installing the Capsule8 Sensor in your deployment environment of choice.
We will be configuring the Capsule8 Sensor to log Alert data to a file called
/var/log/capsule8-alerts.json with a simple program black list which will generate an Alert every time the program
wget is run:
alert_output: outputs: - type: file enabled: true file: /var/log/capsule8-alerts.json Wget Program Blacklist: policy: program enabled: true alertMessage: Unauthorized Program Execution priority: High rules: - match programName == "*/wget" - default ignore comments: Alert on usage of the wget command
This example discusses using Elastic’s Filebeat to ingest Capsule8 Alerts from a Capsule8 Sensor into Elastic Stack, which includes Kibana. It was written for Filebeat v7.0. To get started, follow the Filebeat installation guide and install it alongside the Capsule8 Sensor in a Linux test environment.
Once Filebeat is installed, follow the configuration guide to connect Filebeat’s output to Elasticsearch or Logstash depending on how you have your Elastic deployment configured. Now you can configure Filebeat’s input. Locate your system’s Filebeat configuration file and add an input:
filebeat.inputs: - type: log paths: - /var/log/capsule8-alerts.json json.keys_under_root: true json.add_error_key: true
This will not only ingest Alerts but will also parse the JSON data for you so that the individual top-level Alert fields are easily indexed.
Restart Filebeat and you are done! Any Alerts generated on the server should now show up in your Elastic deployment. To generate an Alert with our example policy, run a
wget command on your server. You should see a resulting Alert for
Unauthorized Program Execution.