Logs Integration in Opensearch

[agauttam]

Hi,

I have an interesting question regarding logs integration. If I directly integrate the Windows DNS and DHCP logs into the OpenSearch database using Logstash, will the correlation engine trigger alerts for rules related to DNS and DHCP?

Thank you!

Best regards,
Arun

[c3s4rfred]

Hi @agauttam, actually it won't, because there are no rules implemented for DHCP and DNS, but you can develop as many custom rules for that logs as you want and test them on the platform.

Best regards

[agauttam]

Hi,
I am looking here to add a new instance of logstash in the UTMStack docker environment, and push the logs to Elasticsearch.
Do I need to place Logstash in the utmstack_default network to push logs to the correlation engine, or can I push logs directly to Elasticsearch?

Regards,
Arun

[c3s4rfred]

Hi, @agauttam adding a new logstash instance is a complex thing to do, UTMStack logs collector is prepared to read database configurations, dynamically create the logstash http input ports redirection from agent to UTMStack, the agent receives the logs, categorize them and send them to the correct logstash port, so adding a new logstash won't do anything.

[c3s4rfred]

You can add a new logstash instance, configure it to receive logs on the same network as UTMStack and create a filter output to send logs directly to correlation engine, but it isn't recommended, it's a hard work to do and, the filters and rules have an specific structure needed to be processed successfully.

Best regards

[agauttam]

Hi,
Thank you for the detailed explanation. I’ve reviewed the code and understand the complexities involved with adding a new Logstash instance. Given your advice, I will proceed with integrating the logs through the UTMStack agent as it seems to be the most efficient approach. I'll ensure that the logs are categorized correctly and routed through the proper channels within the existing setup.

Please let me know if there are any specific guidelines or best practices I should follow during this integration.

Best regards,
Arun

[c3s4rfred]

Hi, @agauttam you just only need to follow the integration guides according to the type of logs and technology, the technology must be on the provided integration list, also you can use the syslog integration that allows you to send any kind of logs through syslog.

Best regards