Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 2 - Configure Falco Logging
Falco serves as a container security and threat detection engine for Kubernetes at runtime, that detects unauthorized container activity and logs it. Falco has been approved by the CNCF for this purpose.
Set the output format to JSON
- Locate the configuration file, which is typically named
- Open the configuration file with a text editor of your choice.
- Save the changes to the configuration file.
- Restart the Falco service to apply the updated configuration.
Look up the filepath to Falco's logs
- In the same configuration file
file_output:make a note of the
filename:value, this will be used in step 3 to configure Filebeat.
It's important to review the Falco documentation for any specific guidance or instructions if you need to customise how logging is configured.
Step 3 - Configure Filebeat.yml
The configuration file below is pre-configured to send data to your Logit.io Stack.
Copy the configuration file below and overwrite the contents of the Filebeat configuration file typically located at
# ============================== Filebeat inputs =============================== filebeat.inputs: - type: filestream enabled: true paths: - fields: type: fields_under_root: true encoding: utf-8 ignore_older: 12h # ================================== Outputs =================================== output.logstash: hosts: ["your-logstash-host:your-ssl-port"] loadbalance: true ssl.enabled: true
If you’re running Filebeat 7.10 or older, change the type as shown below.
- type: log
It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.
Step 4 - Validate configuration
If you have issues starting in the next step, you can use these commands below to troubleshoot.
Let's check the configuration file is syntactically correct by running directly inside the terminal.
If the file is invalid, will print an
error loading config file error message with details on how to correct the problem.
sudo -e -c /etc//.yml
cd <EXTRACTED_ARCHIVE> sudo ./ -e -c .yml
cd <EXTRACTED_ARCHIVE> .\.exe -e -c .yml
Step 5 - Start filebeat
Start or restart to apply the configuration changes.
Step 6 - Launch Logit.io to view your logs
Now you should view your data:
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 8 - Falco Overview
Falco is a free, open-source container security monitoring solution that provides real-time threat detection and response capabilities. It is designed to help organizations identify and respond to security incidents in containerized environments.
To effectively monitor and analyze security events in containerized environments, it is essential to have a reliable and efficient log management solution. Falco provides a centralized platform for collecting, processing, and visualizing security-related data in real-time. It can be used to monitor various activities in container environments, such as network connections, file system access, and process execution.
To send data from Falco to other systems or services, organizations can use various output options, including JSON logs, Syslog, and gRPC. For instance, to output JSON logs to a file, users can modify the Falco configuration file and add the necessary output configuration.
In summary, using Falco as a container security monitoring solution provides organizations with a reliable and efficient way to detect and respond to security incidents in real-time. By leveraging the output options and various agents and modules, organizations can collect and analyze data from container environments and gain valuable insights into their security posture.
If you need any further assistance with migrating your log data to ELK we're here to help you get started. Feel free to get in contact with our support team by sending us a message via live chat & we'll be happy to assist.