How do I check if my Wazuh Filebeat is corrrectly sending logs to my Security Onion Logstash and if my Logstash is sending the info to Elastic Search?

[chisomobanja]

Hello everyone,

I am currently setting up Filebeat from Wazuh to forward logs to Logstash in my Security Onion setup. I have configured Filebeat with the following settings in the filebeat.yml file:

   hosts: ["my_securityonion_ip:5044"]

Logstash is configured to receive logs from Filebeat on port 5044 as per the configuration in /opt/so/conf/logstash/custom/1100_preprocess_wazuh.conf. However, I am not sure how to confirm that Filebeat is actually connecting to Logstash and forwarding the logs.

Could someone guide me on how to verify that the connection between Filebeat and Logstash is successful? Specifically:

How do I check that Filebeat is running and sending logs to Logstash?
What logs or outputs should I check to confirm that Filebeat is properly connected to Logstash?
Any help or pointers would be greatly appreciated!

Thank you.

[cm-ops]

If you run sudo so-logstash-pipeline-stats manager do you see your plugin and any events being processed?

Did you also add custom/1100_preprocess_wazuh.conf to your Logstash manager pipeline in SOC? SOC > Administration > Configuration > logstash > defined_pipelines > manager [advanced toggled on]

[chisomobanja]

Yes I could see them being processed

Under which part do I find the defined pipelines? I did not add custom/1100_preprocess_wazuh.conf

[cm-ops]

I'll add a screenshot.

SOC > Administration > Configuration > logstash > defined_pipelines > manager [advanced toggled on]

[chisomobanja]

Thank you, I'll try that