investigateAccept Pipeline Guide
In this guide we will showcase how to create an investigateAccept pipeline and the use of the different plugins.
Components
In order to configure an investigateAccept pipeline, it is important to understand the different components that can be applied in order for the data to be normalised and ingested as desired.
-
Input: Specifies how to handle the incoming data based on the input plugins available
- beats - handles input provided by the elastic stack beats software (winlogbeat, metricbeat, filebeat)
- syslog - handles input provided directly from servers sending syslog data
- webhook - handles input provided via Webhooks
-
Processors: Are used to manipulate data according to the usecase and desired outcome
- blacklist - removes fields from an event when blacklisted
- extract - extracts data from a given field using regex for additional fields
- flatten - flattens a provided json
- inject - injects data to a given event
- logic - performs logic operations and if true, it follows the next step configured
- lowercase - lowercases provided field
- rename - renames a given field within an event to a new name
- rule - multiple selection of logic statements that are followed based on first hit
- setTime - specifies the event field by providing a field and a specified time format
- toJson - converts a given event / field to json. If outputField is not provided, it overwrites the current events.
- whitelist - adds fields to an event when whitelisted
-
Output: Specifies where to output the processed data
- stdout - outputs all event information to cli output
- opensearch - sends the events to an opensearch instance for ingest
- investigate - sends the events to an investigate instance for ingest
All inputs, processors, and output plugins must have the below yaml structure, which would include the unique ID of each step as well as a specified next step as shown below:
input/processor/output:
id: <unique ID>
name: <name of step>
plugin: <name of plugin used for this particular step>
<additional specific functions>: <depending on the plugin these may defer>
next: <specified next step>
Webhook pipeline example
input:
id: 1
name: webhook
plugin: webhook
next: [2]
bindPort: 443
method: POST
prefix: <random-string for accessing the url>
sslCertificate: <certificate file>
sslPrivateKey: <private key file>
processor:
id: 2
name: toJson
plugin: toJson
next: [3]
output:
id: 3
name: opensearch
plugin: opensearch
index: webhook-index
password: password
url: https://opensearch-url
username: username
verify: true
Beats pipeline example
An example beats pipeline can be downloaded from the below link: