Capsule8 Docs
Capsule8 Docs
Help

Getting Alerts via ELK (Elastic Stack)

In this ELK walkthrough, we will use a simple deployment scenario of a Capsule8 Sensor deployed to a non-containerized Linux production server. If you have not already, see the Capsule8 Installation Guide for instructions on installing the Capsule8 Sensor in your deployment environment of choice.

We will be configuring the Capsule8 Sensor to log Alert data to a file called /var/log/capsule8-alerts.json with a simple program black list which will generate an Alert every time the program wget is run:

alert_output:
  outputs:
    - type: file
      enabled: true
      file: /var/log/capsule8-alerts.json

Wget Program Blacklist:
  policy: program
  enabled: true
  alertMessage: Unauthorized Program Execution
  priority: High
  rules:
  - match programName == "*/wget"
  - default ignore
  comments: Alert on usage of the wget command

This example discusses using Elastic’s Filebeat to ingest Capsule8 Alerts from a Capsule8 Sensor into Elastic Stack, which includes Kibana. It was written for Filebeat v7.0. To get started, follow the Filebeat installation guide and install it alongside the Capsule8 Sensor in a Linux test environment.

Once Filebeat is installed, follow the configuration guide to connect Filebeat’s output to Elasticsearch or Logstash depending on how you have your Elastic deployment configured. Now you can configure Filebeat’s input. Locate your system’s Filebeat configuration file and add an input:

filebeat.inputs:
- type: log
  paths:
    - /var/log/capsule8-alerts.json
  json.keys_under_root: true
  json.add_error_key: true

This will not only ingest Alerts but will also parse the JSON data for you so that the individual top-level Alert fields are easily indexed.

Restart Filebeat and you are done! Any Alerts generated on the server should now show up in your Elastic deployment. To generate an Alert with our example policy, run a wget command on your server. You should see a resulting Alert for Unauthorized Program Execution.