{"id":296,"date":"2022-12-19T23:31:00","date_gmt":"2022-12-19T22:31:00","guid":{"rendered":"https:\/\/securityeye.wordifysites.com\/?p=296"},"modified":"2024-03-07T20:40:43","modified_gmt":"2024-03-07T19:40:43","slug":"log-management","status":"publish","type":"post","link":"https:\/\/swissmakers.ch\/en\/log-management\/","title":{"rendered":"Centralised log management of a modern company with the ELK stack"},"content":{"rendered":"<p><strong>User activity within your own company in the form of logs is incredibly valuable data.<\/strong> System failures or performance statuses also provide rich information about the <strong>quality<\/strong> of a network or a product. However, the manual collection of all such actions, both from people and machines, is in most cases a very complex task.<\/p>\n\n\n\n<p><strong>ELK<\/strong> is a technology stack that <strong>Elasticsearch<\/strong>, <strong>Logstash<\/strong> and <strong>Kibana<\/strong> combined to provide a comprehensive approach to consolidating, managing and <strong>Analysing logs and protocols<\/strong> from your entire company. It allows <strong>Real-time insights<\/strong> into network processes, firewall activities, domain controller log data and also carries out automated and continuous security analyses.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote zitate is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>Centrally collect, search, automatically analyse and evaluate all events and log data and trigger alarms as soon as security problems or unauthorised processes are detected.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"gb-headline gb-headline-5fb819a9 gb-headline-text\">The centrepiece - Elasticsearch<\/h2>\n\n\n\n<p>As <strong>Main component of an ELK stack<\/strong> comes <strong>Elasticsearch<\/strong> as the centrepiece and in the productive environment in the form of a cluster. It serves as <strong>Database<\/strong>the <strong>Storage location<\/strong> of all data stored in separate log indexes, <code>Indices<\/code> can be subdivided. This is also where the monitoring cluster comes to life. All storage and searches, whether automated or manual, are carried out here via API requests and bilateral communication between the cluster member nodes.<\/p>\n\n\n\n<p>Since Elasticsearch is very extensive, we publish under: <em>Elasticsearch - The High Performance Search Engine<\/em> a separate post about this.<\/p>\n\n\n\n<h2 class=\"gb-headline gb-headline-5e12dd03 gb-headline-text\">The normalisation of logs by Logstash<\/h2>\n\n\n\n<p>The integration of custom systems, as is often the case with larger industrial companies such as gas, water or electricity companies, often requires the logs to be normalised. This means that the log data produced by the different devices must first be converted into a standardised format that can then be imported into the Elasticsearch cluster. This applies in particular to technologies that are not already supported by the <strong>official data shippers<\/strong> like <strong><a href=\"https:\/\/www.elastic.co\/de\/beats\/filebeat\" target=\"_blank\" rel=\"noreferrer noopener\">Filebeat<\/a><\/strong>, <strong><a href=\"https:\/\/www.elastic.co\/de\/beats\/winlogbeat\" target=\"_blank\" rel=\"noreferrer noopener\">Winlogbeat<\/a><\/strong>, <strong><a href=\"https:\/\/www.elastic.co\/de\/beats\/auditbeat\" target=\"_blank\" rel=\"noreferrer noopener\">Auditbeat<\/a><\/strong>, <strong><a href=\"https:\/\/www.elastic.co\/de\/beats\/metricbeat\" target=\"_blank\" rel=\"noreferrer noopener\">Metricbeat<\/a><\/strong> or <strong><a href=\"https:\/\/www.elastic.co\/de\/beats\/packetbeat\" target=\"_blank\" rel=\"noreferrer noopener\">Packetbeat<\/a><\/strong> are covered.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>A fleet server<\/strong> would also be a good option, <strong>Perimeter firewalls<\/strong> or other log sources into Elasticsearch. <\/li>\n\n\n\n<li>Existing integrations can be found under the following link:<strong><a href=\"https:\/\/www.elastic.co\/de\/integrations\/data-integrations\" target=\"_blank\" rel=\"noreferrer noopener\"> Fleet agents.<\/a><\/strong><\/li>\n<\/ul>\n\n\n\n<p>With Logstash, it is possible to use self-created <code>Pipelines<\/code> and so-called <strong>GROK patterns<\/strong> also possible to create your own log files, such as <em>e.g. a self-created Python script<\/em>, in <code>Searchable Fields<\/code> and to map them in Elasticsearch <strong>index <\/strong>(save in Elasticsearch). For example, as with Regex, GROK can be used to select all usernames or IP addresses from a special log file and then analyse them using a <strong>Key value matchings<\/strong> in the <strong>JSON<\/strong> format can be preselected for Elasticsearch. The finished mapped log file is imported into Elasticsearch at the end of the pipeline.<\/p>\n\n\n\n<p>The topic of Logstash, as well as the basic principle of pipelines, will be published in a separate post at a later date for a deeper understanding: <em>Logstash - The log pipeline<\/em>.<\/p>\n\n\n\n<h2 class=\"gb-headline gb-headline-62f3eb01 gb-headline-text\">The Kibana user interface<\/h2>\n\n\n\n<p>Below you can see some screenshots of Kibana in productive use. Kibana used to be developed as a stand-alone product, today it is the graphical <strong>Surface<\/strong>so the <strong>Web UI from Elasticsearch<\/strong> and would no longer function independently without Elasticsearch.<br>At the end of this blog entry you will also find a few manufacturer demos of what data visualisation with Kibana could look like.<\/p>\n\n\n<style>.wp-block-kadence-advancedgallery.kb-gallery-wrap-id-296_0c854c-ce{margin-top:32px;margin-bottom:40px;}.kb-gallery-id-296_0c854c-ce.kb-gallery-ul.kb-gallery-type-fluidcarousel .kt-blocks-carousel figure .kb-gal-image-radius, .kb-gallery-id-296_0c854c-ce.kb-gallery-ul.kb-gallery-type-fluidcarousel .kt-blocks-carousel figure .kb-gal-image-radius img{height:342px;}.kb-gallery-id-296_0c854c-ce .kadence-blocks-gallery-item .kb-gal-image-radius, .kb-gallery-id-296_0c854c-ce .kb-slide-item .kb-gal-image-radius img{border-radius:0px 0px 0px 0px;;}.kb-gallery-wrap-id-296_0c854c-ce.wp-block-kadence-advancedgallery{overflow:visible;}.kb-gallery-wrap-id-296_0c854c-ce.wp-block-kadence-advancedgallery .kt-blocks-carousel{overflow:visible;max-width:100%;}<\/style><div class=\"kb-gallery-wrap-id-296_0c854c-ce alignnone wp-block-kadence-advancedgallery\"><div class=\"kb-gallery-ul kb-gallery-non-static kb-gallery-type-fluidcarousel kb-gallery-id-296_0c854c-ce kb-gallery-caption-style-bottom-hover kb-gallery-filter-none\" data-image-filter=\"none\" data-lightbox-caption=\"true\"><div class=\"kt-blocks-carousel splide kt-carousel-container-dotstyle-dark kt-carousel-arrowstyle-whiteondark kt-carousel-dotstyle-dark kb-slider-group-arrow kb-slider-arrow-position-center\" data-slider-anim-speed=\"400\" data-slider-scroll=\"1\" data-slider-arrows=\"true\" data-slider-dots=\"true\" data-slider-hover-pause=\"false\" data-slider-auto=\"\" data-slider-speed=\"7000\" data-slider-type=\"fluidcarousel\" data-slider-center-mode=\"true\" data-slider-gap=\"30px\" data-slider-gap-tablet=\"30px\" data-slider-gap-mobile=\"30px\" data-show-pause-button=\"false\"><div class=\"splide__track\"><ul class=\"kt-blocks-carousel-init kb-blocks-fluid-carousel splide__list\"><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-1024x577.webp\" width=\"1024\" height=\"577\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-scaled.webp\" data-id=\"1516\" class=\"wp-image-1516 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-1024x577.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-768x433.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-1536x865.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-login-2048x1154.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1024x579.webp\" width=\"1024\" height=\"579\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-scaled.webp\" data-id=\"1514\" class=\"wp-image-1514 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-1024x579.webp\" width=\"1024\" height=\"579\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-scaled.webp\" data-id=\"1515\" class=\"wp-image-1515 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-home-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-1024x579.webp\" width=\"1024\" height=\"579\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-scaled.webp\" data-id=\"1517\" class=\"wp-image-1517 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash1-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-1024x579.webp\" width=\"1024\" height=\"579\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-scaled.webp\" data-id=\"1518\" class=\"wp-image-1518 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash2-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-1024x579.webp\" width=\"1024\" height=\"579\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-scaled.webp\" data-id=\"1519\" class=\"wp-image-1519 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><li class=\"kb-slide-item kb-gallery-carousel-item splide__slide\"><div class=\"kadence-blocks-gallery-item\"><div class=\"kadence-blocks-gallery-item-inner\"><figure class=\"kb-gallery-figure kadence-blocks-gallery-item-hide-caption\"><div class=\"kb-gal-image-radius\"><div class=\"kb-gallery-image-contain\" ><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-1024x579.webp\" width=\"1024\" height=\"579\" alt=\"\" data-full-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-scaled.webp\" data-light-image=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-scaled.webp\" data-id=\"1520\" class=\"wp-image-1520 skip-lazy\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash4-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/div><\/figure><\/div><\/div><\/li><\/ul><\/div><\/div><\/div><\/div>\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n<style>.kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .wp-block-kadence-tab{border-top:3px solid var(--contrast);border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;padding-top:var(--global-kb-spacing-sm, 1.5rem);padding-right:var(--global-kb-spacing-sm, 1.5rem);padding-bottom:var(--global-kb-spacing-sm, 1.5rem);padding-left:var(--global-kb-spacing-sm, 1.5rem);min-height:500px;background:var(--base);}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li{margin-top:0px;margin-right:8px;margin-bottom:0px;margin-left:0px;margin-right:0px;margin-left:0px;}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li:last-child{margin-right:0px;}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list{margin-right:-14px;}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li .kt-tab-title{margin-right:14px;}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li .kt-tab-title, .wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .kt-tabs-accordion-title .kt-tab-title{line-height:1.4em;letter-spacing:0.6px;font-weight:regular;font-style:normal;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;padding-top:5px;padding-right:10px;padding-bottom:10px;padding-left:10px;border-color:var(--contrast);color:var(--contrast);background:var(--base-2);}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .kt-tabs-accordion-title .kt-tab-title{margin-top:0px;margin-right:8px;margin-bottom:0px;margin-left:0px;}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li .kt-tab-title:hover, .wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .kt-tabs-accordion-title .kt-tab-title:hover{border-color:var(--contrast);color:var(--accent);background:var(--accent-3);}.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li.kt-tab-title-active .kt-tab-title, .wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .kt-tabs-accordion-title.kt-tab-title-active .kt-tab-title{border-color:var(--contrast);color:var(--base-2);background:var(--contrast);}@media all and (max-width: 1024px){.kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .wp-block-kadence-tab{border-top:3px solid var(--contrast);}}@media all and (max-width: 1024px){.wp-block-kadence-tabs .kt-tabs-id296_c67cae-74 > .kt-tabs-title-list li .kt-tab-title{margin-right:3px;}}@media all and (max-width: 767px){.kt-tabs-id296_c67cae-74 > .kt-tabs-content-wrap > .wp-block-kadence-tab{border-top:3px solid var(--contrast);}}<\/style>\n<div class=\"wp-block-kadence-tabs alignnone\"><div class=\"kt-tabs-wrap kt-tabs-id296_c67cae-74 kt-tabs-has-5-tabs kt-active-tab-1 kt-tabs-layout-tabs kt-tabs-tablet-layout-tabs kt-tabs-mobile-layout-accordion kt-tab-alignment-left kt-create-accordion\"><ul class=\"kt-tabs-title-list kb-tabs-list-columns kb-tab-title-columns-5\"><li id=\"tab-datensammeln\" class=\"kt-title-item kt-title-item-1 kt-tabs-svg-show-always kt-tabs-icon-side-left kt-tab-title-active\"><a href=\"#tab-datensammeln\" data-tab=\"1\" class=\"kt-tab-title kt-tab-title-1\"><span class=\"kt-title-text\">Collect data<\/span><\/a><\/li><li id=\"tab-datenaufbereiten\" class=\"kt-title-item kt-title-item-2 kt-tabs-svg-show-always kt-tabs-icon-side-left kt-tab-title-inactive\"><a href=\"#tab-datenaufbereiten\" data-tab=\"2\" class=\"kt-tab-title kt-tab-title-2\"><span class=\"kt-title-text\">Prepare data<\/span><\/a><\/li><li id=\"tab-datenanalysieren\" class=\"kt-title-item kt-title-item-3 kt-tabs-svg-show-always kt-tabs-icon-side-left kt-tab-title-inactive\"><a href=\"#tab-datenanalysieren\" data-tab=\"3\" class=\"kt-tab-title kt-tab-title-3\"><span class=\"kt-title-text\">Analyse data<\/span><\/a><\/li><li id=\"tab-datenvisualisieren\" class=\"kt-title-item kt-title-item-4 kt-tabs-svg-show-always kt-tabs-icon-side-left kt-tab-title-inactive\"><a href=\"#tab-datenvisualisieren\" data-tab=\"4\" class=\"kt-tab-title kt-tab-title-4\"><span class=\"kt-title-text\">Visualise data<\/span><\/a><\/li><li id=\"tab-lifecycle\" class=\"kt-title-item kt-title-item-5 kt-tabs-svg-show-always kt-tabs-icon-side-left kt-tab-title-inactive\"><a href=\"#tab-lifecycle\" data-tab=\"5\" class=\"kt-tab-title kt-tab-title-5\"><span class=\"kt-title-text\">LifeCycle<\/span><\/a><\/li><\/ul><div class=\"kt-tabs-content-wrap\">\n<div class=\"wp-block-kadence-tab kt-tab-inner-content kt-inner-tab-1 kt-inner-tab_515fff-a4\"><div class=\"kt-tab-inner-content-inner\">\n<p>There are countless ways to index data in Elasticsearch:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Beats Data Shippers<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Filebeat<\/strong> - Everything that comes in the form of log files, e.g. Apache, Nginx, Linux messages, Audit.log, etc.<\/li>\n\n\n\n<li><strong>Winlogbeat<\/strong> - All Windows event log messages and various extensions, e.g. PowerShell entries etc.<\/li>\n\n\n\n<li><strong>Auditbeat<\/strong> - Security-relevant messages, login attempts, e.g. on Unix systems<\/li>\n\n\n\n<li><strong>Packetbeat<\/strong> - Network activities, latencies or network problems<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Logstash<\/strong>\n<ul class=\"wp-block-list\">\n<li><strong>Syslog<\/strong> - Input, the network port is freely configurable<\/li>\n\n\n\n<li><strong>Kafka<\/strong> - Input and output, the network port is freely configurable<\/li>\n\n\n\n<li><strong>RabbitMQ<\/strong> - Input and output, the network port is freely configurable<\/li>\n\n\n\n<li>\u21d2&nbsp; <a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/input-plugins.html\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Complete list of logstash inputs<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Fleet server<\/strong>\n<ul class=\"wp-block-list\">\n<li>All integrations under the following link: <a href=\"https:\/\/www.elastic.co\/de\/integrations\/data-integrations\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Fleet integrations<\/strong><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-kadence-tab kt-tab-inner-content kt-inner-tab-2 kt-inner-tab_1636a1-05\"><div class=\"kt-tab-inner-content-inner\">\n<p>Elasticsearch is a <strong>as-is database<\/strong>. This means that <strong>All mappings of data and fields must take place before the final indexing.<\/strong> For standard products that are known worldwide, e.g. Palo Alto firewalls, Cisco products, web servers, Windows systems, Linux system logs, no additional preparation with GROK is required in most cases, as all fields are already assigned correctly automatically for such technologies.<\/p>\n\n\n\n<p>If this is not the case, this can be done straightforwardly with <strong>Logstash<\/strong> especially if it is an in-house development.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>More about: <strong><a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/pipeline.html\" target=\"_blank\" rel=\"noreferrer noopener\">How a Logstash pipeline works<\/a><\/strong><\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-kadence-tab kt-tab-inner-content kt-inner-tab-3 kt-inner-tab_c23aaf-57\"><div class=\"kt-tab-inner-content-inner\">\n<p>The data or logs can be viewed in the menu \"<strong>Discover<\/strong>\" can be analysed and searched.<\/p>\n\n\n<style>.kb-image296_275679-91 .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<figure class=\"wp-block-kadence-image kb-image296_275679-91 size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1024x579.webp\" alt=\"\" class=\"kb-img wp-image-1514\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>This can be done by excluding event categories or by explicitly including them, such as searching for the tag <code>Access Denied<\/code> or <code>403<\/code> and much more. You can also use the <strong>KQL (Kibana Query Language)<\/strong> are needed or for courageous <strong>Apache-Lucene<\/strong>.<\/p>\n\n\n\n<p>Furthermore, the time period can be limited in fine granularity or a specific date within a time period can be searched for to the millisecond. Additional filters such as only the logs from the firewall etc. can also be added here.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-kadence-tab kt-tab-inner-content kt-inner-tab-4 kt-inner-tab_d41d82-6e\"><div class=\"kt-tab-inner-content-inner\">\n<p>Under Dashboards you will find <strong>over 40 default dashboards,<\/strong> which already come with Elasticsearch and its beats. These can be customised, copied and saved or saved under a new name.<\/p>\n\n\n\n<p>Of course you can also <strong>Own dashboards <\/strong>from-scratch, as the example of this reverse proxy shows:<\/p>\n\n\n<style>.kb-image296_a87cde-3c .kb-image-has-overlay:after{opacity:0.3;}<\/style>\n<figure class=\"wp-block-kadence-image kb-image296_a87cde-3c size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-1024x579.webp\" alt=\"\" class=\"kb-img wp-image-1519\" srcset=\"https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-1024x579.webp 1024w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-300x169.webp 300w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-768x434.webp 768w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-1536x868.webp 1536w, https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-proxy-dash3-2048x1157.webp 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-kadence-tab kt-tab-inner-content kt-inner-tab-5 kt-inner-tab_83c5d6-73\"><div class=\"kt-tab-inner-content-inner\">\n<p>Logs need storage space. Depending on the company and firewalls, this can amount to up to 150 GB per day. It makes sense to consider how long the data should be searchable and when it can be archived or even deleted. There are four lifecycle phases for this, which can be easily defined in a lifecycle policy for each index or globally:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hot phase<\/strong>\n<ul class=\"wp-block-list\">\n<li>Here you can find the live data.<\/li>\n\n\n\n<li>Indexing and active searches are carried out here.<\/li>\n\n\n\n<li>Best performance on local or even SSD storage<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Warm phase<\/strong>\n<ul class=\"wp-block-list\">\n<li>The warm phase is there if you want to search logs for longer, but want to move them to more favourable storage after a certain time.<\/li>\n\n\n\n<li>Example: After 20 days, all logs should be automatically moved from the SSD storage to an NFS share, i.e. moved to the warm nodes.<\/li>\n\n\n\n<li>These logs can still be actively searched if a longer period of time is searched, e.g. over the last 90 days (search in hot and warm).<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Cold phase<\/strong>\n<ul class=\"wp-block-list\">\n<li>This phase is for archiving purposes only.<\/li>\n\n\n\n<li>It can no longer be actively searched. In order to search the data again, it would first have to be reindexed in a temporary index; use cases are banks that want to keep logs for 10 years.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Delete phase<\/strong>\n<ul class=\"wp-block-list\">\n<li>Logs that reach this phase are deleted from the cluster.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>Important to mention: It is never necessary to define all phases. There can also only be a hot phase of 30 days and then the delete phase immediately afterwards.<\/p>\n<\/div><\/div>\n<\/div><\/div><\/div>\n\n\n<style>.wp-block-kadence-spacer.kt-block-spacer-296_056d7d-9f .kt-block-spacer{height:39px;}.wp-block-kadence-spacer.kt-block-spacer-296_056d7d-9f .kt-divider{border-top-width:1px;height:1px;border-top-color:#eee;width:80%;border-top-style:solid;}<\/style>\n<div class=\"wp-block-kadence-spacer aligncenter kt-block-spacer-296_056d7d-9f\"><div class=\"kt-block-spacer kt-block-spacer-halign-center\"><\/div><\/div>\n\n\n<div class=\"gb-container gb-container-5ecddd34\">\n<div class=\"gb-container gb-container-26969626\">\n<div class=\"gb-grid-wrapper gb-grid-wrapper-065b23ab\">\n<div class=\"gb-grid-column gb-grid-column-ce685750\"><div class=\"gb-container gb-container-ce685750\">\n<div class=\"gb-container gb-container-348215a3\">\n\n<h2 class=\"gb-headline gb-headline-83877a47 gb-headline-text\">Ready to get started?<\/h2>\n\n\n\n<p class=\"gb-headline gb-headline-cdafa845 gb-headline-text\">Learn more about Elastic at <a href=\"http:\/\/www.elastic.co\" target=\"_blank\" rel=\"noopener\">www.<\/a><a href=\"http:\/\/www.elastic.co\" target=\"_blank\" rel=\"noreferrer noopener\">elastic<\/a><a href=\"http:\/\/www.elastic.co\" target=\"_blank\" rel=\"noopener\">.co<\/a>! <\/p>\n\n<\/div>\n<\/div><\/div>\n\n<div class=\"gb-grid-column gb-grid-column-78653b0c\"><div class=\"gb-container gb-container-78653b0c\">\n\n<a class=\"gb-button gb-button-8aa839a0\" href=\"https:\/\/demo.elastic.co\/app\/home#\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span class=\"gb-button-text\">Manufacturer demo<\/span><span class=\"gb-icon\"><svg aria-hidden=\"true\" role=\"img\" height=\"1em\" width=\"1em\" viewbox=\"0 0 256 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path fill=\"currentColor\" d=\"M224.3 273l-136 136c-9.4 9.4-24.6 9.4-33.9 0l-22.6-22.6c-9.4-9.4-9.4-24.6 0-33.9l96.4-96.4-96.4-96.4c-9.4-9.4-9.4-24.6 0-33.9L54.3 103c9.4-9.4 24.6-9.4 33.9 0l136 136c9.5 9.4 9.5 24.6.1 34z\"><\/path><\/svg><\/span><\/a>\n\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>User activity within your own company in the form of logs is incredibly valuable data. System failures ... <\/p>\n<p class=\"read-more-container\"><a title=\"Centralised log management of a modern company with the ELK stack\" class=\"read-more button\" href=\"https:\/\/swissmakers.ch\/en\/log-management\/#more-296\" aria-label=\"Read more about Centralised log management of a modern company with the ELK stack\">Read more<\/a><\/p>","protected":false},"author":2,"featured_media":1514,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","footnotes":""},"categories":[15,16,17],"tags":[30,34,36,43,45],"class_list":["post-296","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-itsecurity","category-monitoring","category-network","tag-elasticsearch","tag-log-management","tag-network","tag-siem","tag-vulnerability-management","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"taxonomy_info":{"category":[{"value":15,"label":"IT-Security"},{"value":16,"label":"Monitoring"},{"value":17,"label":"Network"}],"post_tag":[{"value":30,"label":"elasticsearch"},{"value":34,"label":"log-management"},{"value":36,"label":"network"},{"value":43,"label":"siem"},{"value":45,"label":"vulnerability management"}]},"featured_image_src_large":["https:\/\/swissmakers.ch\/wp-content\/uploads\/2022\/02\/elasticsearch-discover-1024x579.webp",1024,579,true],"author_info":{"display_name":"Michael Reber","author_link":"https:\/\/swissmakers.ch\/en\/author\/michael\/"},"comment_info":0,"category_info":[{"term_id":15,"name":"IT-Security","slug":"itsecurity","term_group":0,"term_taxonomy_id":15,"taxonomy":"category","description":"","parent":0,"count":9,"filter":"raw","cat_ID":15,"category_count":9,"category_description":"","cat_name":"IT-Security","category_nicename":"itsecurity","category_parent":0},{"term_id":16,"name":"Monitoring","slug":"monitoring","term_group":0,"term_taxonomy_id":16,"taxonomy":"category","description":"","parent":0,"count":8,"filter":"raw","cat_ID":16,"category_count":8,"category_description":"","cat_name":"Monitoring","category_nicename":"monitoring","category_parent":0},{"term_id":17,"name":"Network","slug":"network","term_group":0,"term_taxonomy_id":17,"taxonomy":"category","description":"","parent":0,"count":6,"filter":"raw","cat_ID":17,"category_count":6,"category_description":"","cat_name":"Network","category_nicename":"network","category_parent":0}],"tag_info":[{"term_id":30,"name":"elasticsearch","slug":"elasticsearch","term_group":0,"term_taxonomy_id":30,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":34,"name":"log-management","slug":"log-management","term_group":0,"term_taxonomy_id":34,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"},{"term_id":36,"name":"network","slug":"network","term_group":0,"term_taxonomy_id":36,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"},{"term_id":43,"name":"siem","slug":"siem","term_group":0,"term_taxonomy_id":43,"taxonomy":"post_tag","description":"","parent":0,"count":3,"filter":"raw"},{"term_id":45,"name":"vulnerability management","slug":"vulnerability-management","term_group":0,"term_taxonomy_id":45,"taxonomy":"post_tag","description":"","parent":0,"count":1,"filter":"raw"}],"_links":{"self":[{"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/posts\/296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/comments?post=296"}],"version-history":[{"count":49,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/posts\/296\/revisions"}],"predecessor-version":[{"id":6983,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/posts\/296\/revisions\/6983"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/media\/1514"}],"wp:attachment":[{"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/media?parent=296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/categories?post=296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swissmakers.ch\/en\/wp-json\/wp\/v2\/tags?post=296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}