This article will explain configuring ObjectSecurity’s BinLens™ (formerly ObjectSecurity OT.AI Platform) to send logs to Elasticsearch, Logstash, and Kibana (ELK) Stack for more accessible logkeeping and parsing.

ObjectSecurity’s BinLens™ UI provides an excellent interface for viewing results from your analyses. However, sometimes, users would like to search for assessment results with more granularity or create more complicated search queries for their results. This can be accomplished with the assistance of ELK Stack, which provides the Kibana query language interface for finer search support.

Configuring ELK Stack to Accept Logs from BinLens

To receive logs fromObjectSecurity’s BinLens™, the user must first configure a Logstash pipeline to accept logs from BinLens. To do this, the user will need root access to the computer or server hosting their ELK stack.

  1. Creating a Logstash Config file. First, the user must create a new Logstash configuration file.

    With root access, navigate to ~/etc/logstash/conf. on the ELK server. Once there, the user should create a new configuration file, “objectsecurity.conf,” for ObjectSecurity-specific logs. By default, Logstash reads any file with the extension “.conf” as a valid configuration file. ObjectSecurity’s BinLens™ supports HTTP, UDP, and TCP protocols for sending logs to the ELK stack, so depending on which protocol the user would like to use, they may edit the following configuration file as they wish. Paste the contents below within the file to open ports for receiving logs via all three protocols (the user may delete whichever input blocks they don’t plan on using):

    input {
  http {
    port => 31311
  }
}
input {
  tcp {
    port => 31312
    codec => json
  }
}
input {
  udp {
    port => 31313
    codec => json
  }
}
output {
        elasticsearch {
                hosts => ["0.0.0.0:9200"]
        }
}

    This file will create a Logstash configuration file that will receive logs via HTTP at port 31311, TCP at port 31312, and UDP at port 31313. Please note that this configuration expects Elasticsearch to be hosted on port 9200, the default port for Elasticsearch. If you have changed the Elasticsearch location, you must update the port number accordingly. 

    In addition to this, if your Elasticsearch has authentication configured, you will need to update the output fields with the information used to authenticate for your Elasticsearch instance: 

    output {
  elasticsearch {
    hosts => ["0.0.0.0:9200"]
    user => "elasticusername"
    password => "elasticpassword"
  }
}

  2. Activating a Logstash PipelineThe user must start the pipeline after creating the configuration file for BinLens logs.

    Navigate to the ~/etc/logstash directory on the ELK server. From here, use your favorite editor (vi, vim, or nano for example) to open the “pipelines.yml” file. Add the following lines to the file to enable the pipeline, then save the file. Please note that if you have named your logstash config file something other than “obejctsecurity.conf”, you will need to update the path.config line to agree with your chosen file name.

    - pipeline.id: objectsecurity
  path.config: "/etc/logstash/conf.d/objectsecurity.conf"

    Once these steps have been completed, your logstash configuration file is now active and your pipeline is ready to receive logs at the ports you have enabled in the configuration. Now that this is done, you are ready to configure BinLens settings to point to your ELK stack and begin sending logs. 

Configuring ELK Stack Location within ObjectSecurity’s BinLens™

To get started using the ELK stack integration feature, the user will need to go to BinLens settings and insert the information for the Elasticsearch IP and port that will be receiving the logs. To find the ELK stash configuration settings within BinLens, go to Settings > Deployment > Configure ELK Stack. From here, the user must select the protocol they would like to use to send the logs, the IP to send the logs to, and the port which the IP will be receiving the logs.

The protocol you select should agree with the whichever protocols you enabled in the Logstash configuration, which you set within the “Creating a Logstash Config file” step of the “Configuring ELK Stack to Accept Logs from BinLens” section outline above.

Note: The user must configure the port from within the Logstash configuration files (these files are stored at /etc/logstash/conf. d). For more info about how to configure the Logstash and the inputs, please refer to the “Configuring ELK Stack to Accept Logs from BinLens” section above on how to set up Logstash and ELK Stack for the purposes of this feature.

To clarify, the IP entry should be the IP of the instance hosting the user’s ELK stack. Once the information has been entered correctly, select Submit to save the settings for BinLens logging destination.

To verify that the configuration is set up properly, each time the submit button is clicked, a test log will be sent to the configured ELK stack instance. The best way to test the configuration is to modify the fields and click submit until the ELK Stack instance receives the test log.