Streamlining ELK Stack with CrowdSec via Syslog

Keeping up with the frequent API changes across the various versions of Elasticsearch is undoubtedly a challenge. Direct compatibility with Elasticsearch has proven to be a resource-intensive endeavor owing to the necessity of adapting to continuous updates.

However, the need for enhanced security within the ELK stack remains paramount. To address this, and in response to numerous requests for Elasticsearch integration, we’ve developed a technical solution to facilitate the integration of CrowdSec without native Elasticsearch support.

In this article, I will outline a method for connecting CrowdSec with the ELK stack, employing Logstash’s syslog output feature.

By adjusting your Logstash configuration to send logs via syslog, you can integrate with CrowdSec efficiently, thereby augmenting your security analysis. I will walk you through the necessary steps to achieve this integration, optimizing your ELK stack for better threat detection and management.

Let’s tackle the technicalities of this integration to reinforce your security monitoring framework.

Prerequisites

Before diving into the integration details, ensuring you’re equipped with the necessary background knowledge and tools is crucial. This guide assumes you have a basic understanding of the following concepts and technologies:

• CrowdSec fundamentals
• Elastic Stack Components: Elasticsearch, Logstash, Kibana
• Syslog protocol

If you’re unfamiliar with any of these topics, we recommend reviewing the relevant documentation to familiarize yourself with the basics.

Integration Overview

Before proceeding with the integration, let’s take a look at the architecture and components involved in this setup.

The integration involves the following components:

• Application: Represents the application generating logs.
• nginx: Acts as a reverse proxy for the application.
• ELK stack: Includes Elasticsearch, Logstash, and Kibana services for log collection, processing, and visualization.
• CrowdSec: Analyzes logs and blocks malicious IPs based on the configured scenarios.

The integration follows this flow:

1. The application generates logs.
2. Logstash processes the logs and forwards them to Elasticsearch and CrowdSec via Syslog.
3. Elasticsearch stores the logs for indexing and analysis.
4. CrowdSec analyzes the logs and blocks malicious IPs based on the configured scenarios.

Now, let’s dig in and go through the implementation steps.

Implementing the integration

For this part, I’m assuming you already have the ELK stack set up. If not, you can refer to this docker-compose file to set up the entire infrastructure with the ELK stack, application, and CrowdSec.

There are multiple ways to integrate CrowdSec with the ELK stack. In this guide, I’ll demonstrate how to leverage Logstash’s Syslog output feature to send raw logs to CrowdSec.

Step 1: Install logstash-output-syslog plugin

The first step is to install the logstash-output-syslog plugin, which enables Logstash to send logs to a syslog server. You can install the plugin using the following command:

bin/logstash-plugin install logstash-output-syslog

Step 2: Configure Logstash to send logs via syslog

Next, you must configure Logstash to send logs to CrowdSec via syslog. Here’s a sample Logstash configuration file that demonstrates how to achieve this:

output {
  syslog {
    host => "crowdsec"
    port => 4242
    protocol => "udp"
    rfc => "rfc5424"
  }
}

This configuration specifies the syslog server details (host and port) to which Logstash will send the logs. You can customize the configuration based on your requirements. The protocol and rfc should be the same as in this example.

You can now restart Logstash to apply the configuration changes.

Step 3: Configure CrowdSec to receive logs via syslog

For the next step, you need to add a new data source in CrowdSec to receive logs via syslog. Here’s an example configuration for the syslog data source:

source: syslog
listen_addr: 0.0.0.0
listen_port: 4242
labels:
 type: nginx

In this configuration, I specify the listen_addr and listen_port to receive logs from Logstash. You can customize the configuration based on your requirements. The labels field allows you to specify additional metadata for the logs.

Once you’ve updated the configuration, you can restart the CrowdSec service to apply the changes.

Step 4: Verify the integration

To verify the integration, you can generate some application logs and check if they’re being processed by Logstash and forwarded to CrowdSec. You can monitor the logs in the Logstash and CrowdSec logs to ensure that the integration is working as expected.

In Kibana:

In CrowdSec:

a8c7b2b0d992:/# cscli metrics

Acquisition Metrics:
╭───────────────────┬────────────┬──────────────┬────────────────┬────────────────────────╮
│      Source       │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │
├───────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┤
│ syslog:172.27.0.7 │ 5          │ 5            │ -              │ -                      │
╰───────────────────┴────────────┴──────────────┴────────────────┴────────────────────────╯

Parser Metrics:
╭────────────────────────────────┬──────┬────────┬──────────╮
│            Parsers             │ Hits │ Parsed │ Unparsed │
├────────────────────────────────┼──────┼────────┼──────────┤
│ child-crowdsecurity/http-logs  │ 15   │ 10     │ 5        │
│ child-crowdsecurity/nginx-logs │ 5    │ 5      │ -        │
│ crowdsecurity/dateparse-enrich │ 5    │ 5      │ -        │
│ crowdsecurity/geoip-enrich     │ 5    │ 5      │ -        │
│ crowdsecurity/http-logs        │ 5    │ 5      │ -        │
│ crowdsecurity/nginx-logs       │ 5    │ 5      │ -        │
│ crowdsecurity/non-syslog       │ 5    │ 5      │ -        │
│ crowdsecurity/whitelists       │ 5    │ 5      │ -        │
╰────────────────────────────────┴──────┴────────┴──────────╯

Local Api Metrics:
╭────────────────────┬────────┬──────╮
│       Route        │ Method │ Hits │
├────────────────────┼────────┼──────┤
│ /v1/heartbeat      │ GET    │ 35   │
│ /v1/watchers/login │ POST   │ 2    │
╰────────────────────┴────────┴──────╯

Local Api Machines Metrics:
╭───────────┬───────────────┬────────┬──────╮
│  Machine  │     Route     │ Method │ Hits │
├───────────┼───────────────┼────────┼──────┤
│ localhost │ /v1/heartbeat │ GET    │ 35   │
╰───────────┴───────────────┴────────┴──────╯

Conclusion

To showcase this integration, I created a simple docker-compose file that sets up the entire infrastructure with the ELK stack, application, and CrowdSec. You can find the docker-compose file here. Of course, it goes without saying, but please don’t use this in production, as it’s just for demonstration purposes!

By integrating CrowdSec with the ELK stack via Syslog, you can enhance your security monitoring capabilities and bolster your threat detection mechanisms. This technical guide provides a step-by-step approach to streamlining the integration process, enabling you to leverage the power of CrowdSec within your ELK stack.

Hope you found this tutorial useful! If you have any questions or feedback, please don’t hesitate to reach out to us on Discord or Discourse.