TCP input plug-in
Meet TCP
- Tested versions: 8.8.2
- Developed by Elastic
- Supported Guardium versions:
- Guardium Data Protection: 11.3 and above
- Guardium Insights: 3.2 and above
This is a Logstash input plug-in for the universal connector that is featured in IBM Security Guardium. It enables Logstash to receive connections from TCP. The events are then sent to a corresponding filter plug-in, which transforms these audit logs into a Guardium record instance, which is a standard structure made out of several parts. The information is then sent over to Guardium. Guardium records include an accessor (a person who tried to access the data), session, data, and exceptions. If there are no errors, the data contains details about the query "construct". The construct details the main action (verb) and collections (objects) involved.
To learn more about logstash input plugin, see logstash documentation
logstash inputs tcp documentation
Purpose
Specify a port, and this plug-in will listen to the port on the Logstash host for any new connection.
Usage
Parameters
| Parameter | Input Type | Required | Default |
|---|---|---|---|
| port | number | Yes | |
| ssl_enable | boolean | no | False |
| ssl_cert | string | no | |
| ssl_key | string | no | |
| ssl_verify | boolean | no | True |
port
The port setting allows specifying a port on which the Logstash host listens to the TCP connection.
ssl_enable
Enable SSL.
ssl_cert
Path to certificate in PEM format. This certificate will be presented to the connecting clients.
ssl_key
The path to the private key corresponding to the specified certificate (PEM format).
ssl_verify
Verify the identity of the other end of the SSL connection against the CA.
Logstash default configuration parameters
Other standard Logstash parameters are available, such as:
add_fieldtypetags
Example
input {
tcp {
port => 514
}
}
Configure TCP connection with SSL on GDP
-
Generate Certificate Authority (CA)
-
On the Collector, run the following API to get the Certificate Authority content:
grdapi generate_ssl_key_universal_connector -
This API will print the content of the public Certificate Authority. Copy this certificate authority to your database source and save it as a
ca.pemfile.
-
-
Configure the TCP logstash input with the following:
input {
tcp {
port => 6514
ssl_enable => true
ssl_cert => "${SSL_DIR}/cert.pem"
ssl_key => "${SSL_DIR}/key.pem"
ssl_verify => false
type => "<datasource-type>"
}
}
Set the datasource-type value according to the specific filter plug-in configuration.
For detailed instructions on how to configure TCP connection on GI, follow the instructions here.
Configuring rsyslog to send logs to Guardium
To learn more about rsyslog, see rsyslog documentation
rsyslog configuration for sending over TCP
Replace the host token with your host and copy the snippet at the end of /etc/rsyslog.conf.
# Enable sending of logs over TCP to <HOST> and the port that defined on the Guarium collector
*.* action(type="omfwd" target="<HOST>" port="<port>" protocol="tcp"
)
rsyslog configuration for sending over TCP with TLS
# Path to the Certificate Authority that was generated by the Guardium collector
$DefaultNetstreamDriverCAFile /path/to/tls/ca.pem
# Send logs over TCP with TLS
*.* action(type="omfwd" target="<HOST>" port="6514" protocol="tcp"
StreamDriver="gtls" # GnuTLS driver
StreamDriverMode="1" # run driver in TLS-only mode
)
Verify the configuration:
rsyslogd -N1
Verify successful response: rsyslogd: End of config validation run. Bye.
After making changes to the syslog configuration, restart the syslog daemon to apply the changes: Run:
sudo service rsyslog restart