Coralogix provides seamless integration with Auditbeat
so you can send your audit data from anywhere into Coralogix.
Coralogix Domain | Elasticsearch-API | SSL Certificates |
---|---|---|
coralogix.com | https://coralogix-esapi.coralogix.com:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crt |
coralogix.in | https://es-api.app.coralogix.in:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pem |
coralogix.us | https://esapi.coralogix.us:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem |
coralogixsg.com | https://es-api.coralogixsg.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem |
eu2.coralogix.com | https://es-api.eu2.coralogix.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem |
Auditbeat
.Private Key – Your Send Your Data – API Key is a unique ID that represents your company.
Company Id – A unique number which represents your company. You can get your company id from the settings tab in the Coralogix dashboard.
Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.
SubSystem Name – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.
Open your Auditbeat
configuration file and configure it to use Logstash
. For more information about configuring Auditbeat
to use Logstash
please refer to: https://www.elastic.co/guide/en/beats/auditbeat/current/logstash-output.html
Point your Auditbeat
to output to Coralogix logstash server:
If your r Coralogix domain ends with ‘.com’ use:
logstashserver.coralogix.com:5015
If your r Coralogix domain ends with ‘.in’ use:
logstashserver.app.coralogix.in:5015
In addition, you should add Coralogix configuration from the General section.
Here is a basic example of an auditbeat.yml file for watching some folders on your server:
#============================= Auditbeat Modules ===============================
auditbeat.modules:
- module: file_integrity
enabled: true
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
fields_under_root: true
fields:
PRIVATE_KEY: "YOUR_PRIVATE_KEY"
COMPANY_ID: YOUR_COMPANY_ID
APP_NAME: "APP_NAME"
SUB_SYSTEM: "SUB_NAME"
#----------------------------- Logstash output --------------------------------
output.logstash:
enabled: true
# If your Coralogix domain ends with '.com' use logstashserver.coralogix.com:5015
# If your Coralogix domain ends with '.in' use logstashserver.app.coralogix.in:5015
hosts: ["appropriate-log-stash-server"]
ttl: 60s
ssl.certificate_authorities: ["<path to folder with certificates>/ca.crt"]
Build a Docker image with your auditbeat.yml:
FROM docker.elastic.co/beats/auditbeat:6.6.2
LABEL description="Auditbeat filesystem audit data collector"
# Adding configuration file and SSL certificates for Auditbeat
COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
COPY ca.crt /etc/ssl/certs/Coralogix.crt
# Changing permission of configuration file
USER root
RUN chown root:auditbeat /usr/share/auditbeat/auditbeat.yml
# Return to deploy user
USER auditbeat
You can deploy with Docker-compose:
version: '3.6'
services:
auditbeat:
image: docker.elastic.co/beats/auditbeat:6.6.2
container_name: auditbeat
volumes:
- ./auditbeat.yml:/usr/share/auditbeat/auditbeat.yml:ro
- ./ca.crt:/etc/ssl/certs/Coralogix.crt:ro
Important: Don’t forget to change the owner of auditbeat.yml file to root (uid=1000).