Current view: XpoLog V7 (Latest). Available: XpoLog V6 and XpoLog V5

Skip to end of metadata
Go to start of metadata


XpoLog’s architecture allows receiving data sent by logstash, using XpoLog's logstash output.

When using an advanced topology there can be multiple filebeat/winlogbeat forwarders which send data into a centralized logstash. The logstash input is the filebeat/winlogbeat forwarder(s) output. The logstash output is forwarded to XpoLog Listener(s).

There are options to push data over HTTP/S and in some cases  over SysLog.


Topology:

Topology

To set up a full forwarding system to XpoLog there is a need to set a central Logstash forwarder in the same XpoLog server and Filebeat forwarder on each machine (Windows/Mac/Linux/Docker). In case of a windows machine, forwarding Windows Events Logs requires a different forwarder - winlogbeat.

you may follow these footsteps:

  1. Browse to XpoLog and set an HTTP listener according to the guideline in the article: HTTP/S
    Remarks: 
    Expand the advanced settings and
    1. In cluster topology, set listening node to 'ALL'
    2. Copy the listener URL for later use when setting the logstash
    3. Set split by Source Device to 'Create log by unique IP / host name'
    4. Set JSON Parsing Level to 1
    5. Once saving the configuration verify that the listener status is 'Running'. If needed start it
  2. Prepare relevant templates for the log patterns in Xpolog:
    • For Windows Events Logs it is mandatory that you import the following templates: Windows-Events-Templates.zip. To import the templates to XpoLog enter XpoLog Manager> Left Navigation Panel> Data> Patterns> Import Template > Choose the file & press Next.
    • For other Logs - it is suggested that you prepare templates in advance but it is not mandatory (template name is case sensitive and must match the name of the pattern set in the  exported logs in Filebeat Forwarder(s)).  
  3. Enter the designated server for the logstash installation. It should be locally in the same server as XpoLog is installed upon (In cluster mode consult with XpoLog Support Team which node should it be installed upon). Then set the logstash according to guidelines described at the article Setting Up a Logstash Forwarder
  4. Set up filebeat forwarder(s) according to the guidelines described at the article Setting Up a Filebeat Forwarder.
  5. Set up Winlogbeat forwarder(s) according to the guidelines described at the articleSetting up Winlogbeat Frowarder.

Once all is set according to the guidelines enter XpoLog> Folders and logs. All the forwarder logs should be created automatically under the Folders&Logs Tree according to the following topology:

FOLDERS&LOGS

<LISENER-NAME>

App-Logs

<Filebeat-Server 1>

<HTTP-Listener-Sufix>Server-1 <Logname-1>

<HTTP-Listener-Sufix>Server-1 <Logname-2>

<Filebeat-Server 2>

<HTTP-Listener-Sufix>Server-2 <Logname-1>

<HTTP-Listener-Sufix>Server-2 <Logname-2>

<Filebeat-Server N>

<HTTP-Listener-Sufix>Server-n <Logname-1>

<HTTP-Listener-Sufix>Server-n <Logname-2>

Win-Events

<Winlogbeat-Server 1>

<HTTP-Listener-Sufix>Server-1 Security

<HTTP-Listener-Sufix>Server-1 System

<HTTP-Listener-Sufix>Server-1 Application

<Winlogbeat-Server 2>

<HTTP-Listener-Sufix>Server-2 Security

<HTTP-Listener-Sufix>Server-2 System

<HTTP-Listener-Sufix>Server-2 Application

<Winlogbeat-Server N>

<HTTP-Listener-Sufix>Server-n Security

<HTTP-Listener-Sufix>Server-n System

<HTTP-Listener-Sufix>Server-n Application

 

  • No labels