Output filebeat to local directory in /nsm/ Using logstash

[MarshallElam]

Version

2.4.130

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

200

Storage for /nsm

50

Network Traffic Collection

tap

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I am trying to take in raw syslogs and wanted to use filebeat since it is integrated with elastic stack. I am having an issue of figuring out how to output the logs to /nsm/logstash/ I have put filebeat on an endpoint and it is successfully harvesting and is added to the so-firewall and can netcat through the open port. I have create an custom output pipeline to try and output the files to /nsm/logstash/ but am having no luck and no errors. This is an airgapped environment with a local network backbone
Here is my defaults.yml that points to my custom/tofile.conf

Here is the tofile.conf

output of /opt/so/log/logstash/logstash.log

filebeat.conf of the endpoint

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

https://docs.securityonion.net/en/2.4/syslog.html#syslog

We are using the Elastic agent and integrations.

[MarshallElam]

Thank you for the reply sadly I can't use elastic agent for my environment since it is utilizing windows 2008 servers which isnt supported.

[cm-ops]

What does this show? sudo salt-call pillar.get firewall