Logs

Once logs are generated by network sniffing processes or endpoints, where do they go? How are they parsed? How are they stored? That’s what we’ll discuss in this section.

• Ingest
  • Import
  • Eval
  • Standalone
  • Fleet Standalone
  • Manager (separate search nodes)
  • Manager Search
  • Heavy
  • Search
  • Forward
• Filebeat
  • Configuration
  • Diagnostic Logging
  • Modules
  • More Information
• Logstash
  • Configuration
  • Parsing
  • Adding New Logs
  • Logstash Parsing
  • Forwarding Events to an External Destination
  • Original Event Forwarding
  • Modified Event Forwarding
  • Queue
  • Diagnostic Logging
  • Errors
  • More Information
• Redis
  • Queue
  • Tuning
  • Diagnostic Logging
  • More Information
• Elasticsearch
  • Querying
  • Authentication
  • Diagnostic Logging
  • Storage
  • Parsing
  • Templates
  • Community ID
  • Configuration
  • Closing Indices
  • Deleting Indices
  • Distributed Deployments
  • Re-indexing
  • Clearing
  • GeoIP
  • More Information
• ElastAlert
  • Configuration
  • Diagnostic Logging
  • More Information
• Curator
  • Configuration
  • Creating Actions
  • Diagnostic Logging
  • Curator vs Index Lifecycle Management (ILM)
  • More Information
• Data Fields
  • ECS
  • Fields
  • Template files
• Alert Data Fields
• Elastalert Fields
• Zeek Fields
• Community ID
  • More Information
• Re-Indexing
• SOC Logs
  • SOC Auth Logs
• Other Supported Logs
  • Example: pfSense
  • Example: RITA