Reputation: 487
Pull logs from remote server into elasticsearch
The short question is: Is it possible to pull logs (within logfiles) from a remote server and ingest them into the ELK stack.
The long story is the following:
- We have a setup with a
DMZwhich is publically facing - We have an
intranetenvironment which hosts alot of internal systems, including the ELK stack - Due to security regulations we cannot establish connections (on IP level) from the
DMZtowards theintranet. - We can however establish connections from the
intranettowards theDMZ
Due to this setup, we cannot follow the normal route of installing a Filebeat on the server where the logs are stored and push the messages towards our logstash installation.
What we would like to do is something that looks somewhat like the following:
- Filebeat or any other process gathers the logs on the server inside the
DMZ - On this server there is some process (
Filebeat,logstash, anotherelasticsearchinstance?) which keeps those information in a local store - This tool (whatever it might be in the end) listens on a port which is available from the
intranet - Another tool inside the
intranetconnects to theDMZtool and pulls all gathered logs for further processing.
Our investigations sofar only resulted in solutions which push the log information to either logstash or elasticsearch.
One thing we do not want to do is to use fileshares to make the logfiles available directly from the intranet.
Our question is whether what we have in mind is possible at all and if so, what tools and with which setup we would accomplish this.
Upvotes: 2
Views: 2155
Answers (1)
Reputation: 7473
You can try the following using Kafka as a message broker
On your DMZ server you will have filebeat collecting logs and sending to a logstash instance, this logstash instace will then output your logs to kafka.
It is a simple pipeline with a beats input, your fitlers and a kafka output, if you don't want to do any enrichments on your data, you can send your logs direct to kafka from filebeat.
Your kafka broker will then listen on a port and wait for any consumer to connect and consumes the messages.
On your intranet you will need a logstash instance with a pipeline using the kafka input, this pipeline will act as a kafka consumer and will pull your messages, you can then use the elasticsearch output to store then in your intranet elasticsearch cluster.
For more information read the kafka documentation, and the documentation for the kafka input and kafka output in the logstash documentation.
Upvotes: 3
Related Questions
- File beat is not transferring data to logstash
- Send logs with filebeat to logstash
- Use filebeat to ingest JSON log file
- Setting up ELK stack
- Unable to connect Filebeat to logstash for logging using ELK
- Elasticsearch Logstash Filebeat mapping
- Metricbeat to Logstash on a remote server not working
- Filebeat doesn't forward data to logstash
- Retrieve log file from distant server with FileBeat
- filebeat is sending log directly to elastic search not to logstash