Elastic Plugin for Log Shipper

Elastic Plugin for Log Shipper

This document explains how to configure your Elastic integration with the Log Shipper module of the Netskope Cloud Exchange platform. This integration allows pushing alerts and events from Netskope to the Elastic platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
  • Your Filebeat TCP Server address and port.

Note

Verify your Elastic instance permissions are secure and not set up for open public access. Only allow access to your cloud storage instance from your Cloud Exchange Host and any other addresses that need access.

Elastic Plugin Support
Event SupportYes
Alert SupportYes
WebTx SupportNo

Workflow

  1. Configure Filebeat to listen on a specific port.
  2. Configure the Elastic plugin.
  3. Configure Log Shipper Business Rules for Elastic.
  4. Configure Log Shipper SIEM Mappings for Elastic.
  5. Validate the Elastic plugin.

Click play to watch a video.

 

Configure Filebeat to Listen on a Specific Port

  1. Install and configure Elastic search.

    (Reference: https://www.elastic.co/guide/en/elasticsearch/reference/7.15/install-elasticsearch.html)

  2. Install and configure Kibana to view data.

    (Reference: https://www.elastic.co/guide/en/kibana/7.15/install.html)

  3. Install and configure Filebeat to listen on a specific port.

    (Reference: https://www.elastic.co/guide/en/beats/filebeat/7.15/filebeat-installation-configuration.html)

  4. Install the Netskope extension in Elastic.

    (Reference: https://docs.elastic.co/integrations/netskope)

Configure the Elastic Plugin

  1. In Cloud Exchange, go to Settings > Plugins.
  2. Search for and select the Elastic v2.0. (CLS) box to open the plugin creation pages.
  3. Enter a Configuration Name.
  4. Select a valid Mapping (Default Mappings for all plugins are available). If the Transform the raw logs is enabled, Raw logs will be transformed using the selected mapping file; otherwise, raw logs will be sent to SIEM. The ingestion may be affected if the SIEM does not accept the raw logs format. When finished, click Next.
    image1.png
  5. Enter your Server Address and Server Port.
    image2.png
  6. Click Save.
    image3.png

Configure Log Shipper Business Rules for Elastic

  1. Go to Log Shipper > Business Rules.
    image4.png
  2. Click Create New Rule.
    LS-Elastic-Business-Rule.png

    Tip

    If you want all the events and alerts ingested into your SIEM Mapping, you can use the default ALL rule.

  3. Enter a Rule Name and configure a query for business rules based on your requirements; and click on the save button in the bottom left corner to save the rule.
    image5.png
  4. Click Save.
    image6.png

Configure Log Shipper SIEM Mappings for Elastic

SIEM mapping enables you to ingest the Netskope logs (alerts and events) to the third-party platform.

NOTE: Data ingestion to the third-party SIEM server will only start if the user has added SIEM Mapping

  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
  2. Select a Source Configuration (Netskope) Destination Configuration (Elastic), and select a business rule from the dropdown.
    image7.png
  3. Click Save.

Validate the Elastic Plugin

To validate the plugin workflow, you can check from Netskope Cloud Exchange and from Kibana.

Verify Data Ingestion in Netskope Cloud Exchange

To validate from Netskope Cloud Exchange, go to Logging. Search for logs with Messages containing ingested.

image8.png
Verify Ingested Data in Elastic Kibana

To validate from the Kibana.

  • Log in to your Kibana instance. In the left menu go to Discover. You will see the ingested logs.
    image9.png
    image14.png
Share this Doc

Elastic Plugin for Log Shipper

Or copy link

In this topic ...