Ship logs from Axonius

Axonius is a cybersecurity asset management platform. This topic describes how to send system logs from your Axonius platform to Layerlog.

Before you begin, you’ll need:

• An active account with Axonius
• An active account with Layerlog
• Filebeat 7 installed on your machine
• Root priveleges on your machines

Configure Axonius to send syslog notifications to a remote Syslog server running Filebeat

1. On your Axonius web interface, go to System Settings > Global Settings > Syslog Settings.
2. Select Use Syslog.
3. Enter the IP address of your remote syslog server into the Syslog host field. This is the server where you run Filebeat.
4. Enter the port number into the Port field.
5. Select UDP in the Protocol menu.

By default, syslog will be forwarded over port 514. Feel free to adjust this, based on your preference or availability, but be sure to note any change to this port in the Filebeat configuration.

Download the Layerlog public certificate to your credentials server

For HTTPS shipping, download the Layerlog public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

1. Paste the following into the inputs section of the Filebeat configuration file:

   filebeat.inputs:
   - type: udp
     max_message_size: 10MiB
     host: "<<ADDRESS-OF-YOUR-FILEBEAT-SERVER>>:514"
     fields:
       logzio_codec: plain
       # Your Layerlog account token. You can find your token at
       #  http://panel.layerlog.com/#/dashboard/settings/manage-accounts
       token: <<LOG-SHIPPING-TOKEN>>
       type: axonius
     fields_under_root: true
     encoding: utf-8
     ignore_older: 3h
   filebeat.registry.path: /var/lib/filebeat
   processors:
   - rename:
       fields:
       - from: "agent"
         to: "filebeat_agent"
       ignore_missing: true
   - rename:
       fields:
       - from: "log.file.path"
         to: "source"
       ignore_missing: true
   output.logstash:
     hosts: ["<<LISTENER-HOST>>:5015"]
     ssl:
       certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
   

   • Replace <<ADDRESS-OF-YOUR-FILEBEAT-SERVER>> with the address of your server running Filebeat.
   • Your Layerlog log shipping token directs the data securely to your Layerlog Log Management account. The default token is auto-populated in the examples when you’re logged into the Layerlog app as an Admin. Manage your tokens.
   • Use the listener URL specific to the region where your Layerlog account is hosted. Click to look up your listener URL.

2. Run Filebeat with the new configuration.

Check Layerlog for your logs

Give your logs some time to get from your system to ours, and then open Kibana. You can filter for data of type axonius to see the incoming Axonius logs.

If you still don’t see your data, see log shipping troubleshooting.