How-To Set Up the ELK Stack Integration Feature | ObjectSecurity OT.AI Platform

How-To Configure an ELK Stack Integration With ObjectSecurity OT.AI Platform Logs

This article will explain how to configure ObjectSecurity OT.AI Platform to send logs to ELK Stack for more accessible log keeping and parsing.

The ObjectSecurity OT.AI Platform UI provides a nice interface for viewing results from your analyses. However, sometimes users would like to search for assessment results with more granularity or create more complicated search queries for their results. This can be accomplished with the assistance of ELK Stack, which provides the Kibana query language interface for finer search support.

TABLE OF CONTENTS

• Configuring ELK Stack to Accept Logs from ObjectSecurity OT.AI Platform

• Configuring ELK Stack Location within ObjectSecurity OT.AI Platform

• Other Useful Resources:

Configuring ELK Stack to Accept Logs from ObjectSecurity OT.AI Platform

To receive logs from ObjectSecurity OT.AI Platform, the user must first configure a Logstash pipeline to accept logs from ObjectSecurity OT.AI Platform. To do this, the user will need root access to the computer or server hosting their ELK stack. 

1. Creating a Logstash Config file. First, the user must create a new Logstash configuration file.
   
   With root access, navigate to ~/etc/logstash/conf. d on the ELK server. Once there, the user should create a new configuration file "objectsecurity.conf" for ObjectSecurity-specific logs. By default, Logstash reads any file with the extension ".conf" as a valid configuration file. ObjectSecurity OT.AI Platform supports HTTP, UDP, and TCP protocols for sending logs to the ELK stack, so depending on which protocol the user would like to use, they may edit the following configuration file as they wish. Paste the contents below within the file to open ports for receiving logs via all three protocols (the user may delete whichever input blocks they don't plan on using):
   
   

   input {
     http {
       port => 31311
     }
   }
   input {
     tcp {
       port => 31312
       codec => json
     }
   }
   input {
     udp {
       port => 31313
       codec => json
     }
   }
   output {
           elasticsearch {
                   hosts => ["0.0.0.0:9200"]
           }
   }

   
   This file will create a Logstash configuration file that will receive logs via http at port 31311, TCP at port 31312, and UDP at port 31313. Please note that this configuration expects Elasticsearch to be hosted on port 9200, the default port for Elasticsearch. If you have changed the location for Elasticsearch, you will need to update the port number accordingly. 
   
   In addition to this, if your Elasticsearch has authentication configured, you will need to update the output fields with the information used to authenticate for your Elasticsearch instance: 
   
   

   output {
     elasticsearch {
       hosts => ["0.0.0.0:9200"]
       user => "elasticusername"
       password => "elasticpassword"
     }
   }

   
   
   
2. Activating a Logstash Pipeline. Now that the user has created the configuration file for ObjectSecurity OT.AI Platform logs, they must activate the pipeline.
   
   On the ELK server, navigate to the ~/etc/logstash directory. From here, use your favorite editor (vi, vim, or nano for example) to open the "pipelines.yml" file. Add the following lines to the file to enable the pipeline, then save the file. Please note that if you have named your logstash config file something other than "obejctsecurity.conf", you will need to update the path.config line to agree with your chosen file name.
   
   
   

   - pipeline.id: objectsecurity
     path.config: "/etc/logstash/conf.d/objectsecurity.conf"

   
   Once these steps have been completed, your logstash configuration file is now active and your pipeline is ready to receive logs at the ports you have enabled in the configuration. Now that this is done, you are ready to configure ObjectSecurity OT.AI Platform settings to point to your ELK stack and begin sending logs. 
   
   

Configuring ELK Stack Location within ObjectSecurity OT.AI Platform

To get started using the ELK stack integration feature, the user will need to go to the ObjectSecurity OT.AI Platform settings and insert the information for the Elasticsearch IP and port that will be receiving the logs. To find the ELK stash configuration settings within ObjectSecurity OT.AI Platform, go to Settings > Deployment > Configure ELK Stack. From here, the user must select the protocol they would like to use to send the logs, the IP to send the logs to, and the port which the IP will be receiving the logs.

The protocol you select should agree with the whichever protocols you enabled in the Logstash configuration, which you set within the "Creating a Logstash Config file" step of the "Configuring ELK Stack to Accept Logs from ObjectSecurity OT.AI Platform" section outline above.

Note: The user must configure the port from within the Logstash configuration files (these files are stored at /etc/logstash/conf. d). For more info about how to configure the Logstash and the inputs, please refer to the "Configuring ELK Stack to Accept Logs from ObjectSecurity OT.AI Platform" section above on how to set up Logstash and ELK Stack for the purposes of this feature.

To clarify, the IP entry should be the IP of the instance hosting the user's ELK stack. Once the information has been entered correctly, select Submit to save the settings for ObjectSecurity OT.AI Platform logging destination. 

To verify that the configuration is set up properly, each time the submit button is clicked, a test log will be sent to the configured ELK stack instance. The best way to test the configuration is to modify the fields and click submit until the ELK Stack instance receives the test log.

Other Useful Resources:

1. Importing Pre-made ELK Dashboards to Your ELK Stack
2. Query Fields Available for Advanced Queries