# Configure Fluent-Bit to send logs to ELK

## Prerequisites:

Fluent-Bit: <https://docs.fluentbit.io/manual/installation/windows#installing-from-exe-installer>

Let's begin by installing Fluent-Bit on Windows.

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FvBiIB0VeAgCqRkYwDobd%2FScreenshot.png?alt=media&#x26;token=4029ed9d-42a2-43d3-b730-e588e4b5b3fe" alt=""><figcaption></figcaption></figure>

We have a log file named ***`network_sample.log`*** that we need to be ingested into the ELK stack. To ensure accurate data extraction, we will begin by crafting an appropriate regular expression to parse the required information.

```regex
SRC=(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+DST=(?<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.
\d{1,3})\s+PROTO=(?<protocol>\w+)\s+SPT=(?<src_port>\d+)?\s+DPT=(?<dst_port>\d+)?\s+
LEN=(?<lenght>\d+)?\s+ACTION=(?<action>\w+)
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FQFQo9kFZ7vxqduHwTULo%2FScreenshot(2).png?alt=media&#x26;token=b5b71d54-a21f-4241-b116-233078f90aeb" alt=""><figcaption></figcaption></figure>

A line does not match the current regular expression. Let's create a new one to accommodate it.

```regex
SRC=(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+DST=(?<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.
\d{1,3})\s+PROTO=(?<protocol>\w+)\s+TYPE=(?<type>\w+)\s+CODE=(?<code>\d+)\s+ID=(?<id>\d
+)\s+ACTION=(?<action>\w+)
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FSqv2R7ZReQJQ2iSLBjOl%2FScreenshot(3).png?alt=media&#x26;token=bbeabac8-cedb-4836-8f64-d0c1336e73cb" alt=""><figcaption></figcaption></figure>

Next, we need to modify the **`parsers.conf`** file located in **`C:\Program Files\fluent-bit\conf`.**

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2F7gwwtZ1mWmIrUqAFudSH%2FScreenshot(14).png?alt=media&#x26;token=590e9a31-6254-4956-a59e-9ea9edba39c2" alt=""><figcaption></figcaption></figure>

Next, we need to configure the `fluent-bit.conf` file, located at `C:\Program Files\fluent-bit\conf`, to forward logs to the ELK stack.

```yaml
[INPUT]
    Name         tail
    Parser       firewall-logs-1
    Path         C:\Users\NV\Downloads\network_sample.log
    Tag          firewall.logs-1

[INPUT]
    Name         tail
    Parser       firewall-logs-2
    Path         C:\Users\NV\Downloads\network_sample.log
    Tag          firewall.logs-2
    
[OUTPUT]
    name    	  es
    match   	  *
    Host    	  192.168.204.146
    Port    	  9200
    Match   	  *
    HTTP_User     elastic
    HTTP_Passwd   =Op+25maKY3GqC=IrV7m
    tls           on
    tls.verify    off 
    Trace_Output  on 
    Suppress_Type_Name on
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FrBned5QnrANzWFn99UAt%2FScreenshot(2).png?alt=media&#x26;token=0ebec6cf-5d6c-450a-889c-8322764a1b67" alt=""><figcaption></figcaption></figure>

This configuration is for **Fluent Bit** to read logs from a file (`C:/Users/NV/Downloads/network_sample.log`) and forward them to an **Elasticsearch** instance.

* **`name tail`**: The `tail` input plugin reads log files line by line, similar to the `tail -f` command in Linux.
* **`parser firewall-logs-1`**: Defines the parser used for processing log entries. The `firewall-logs` parser is specified in the `parsers.conf` file to extract structured fields from the logs efficiently.
* **`path C:/Users/NV/Downloads/network_sample.log`**: The path to the log file to monitor. Fluent Bit will read new lines appended to this file.

For the **`OUTPUT`**:

* **`name es`**: The `es` output plugin sends logs to Elasticsearch.
* **`Host 192.168.204.146`**: The IP address or hostname of the Elasticsearch server.
* **`Port 9200`**: The port where Elasticsearch is listening (default is 9200).
* **`tls on`**: Enables TLS/SSL encryption for communication with Elasticsearch.
* **`tls.verify off`**: Disables certificate verification.
* **`Trace_Output on`**: Enables verbose logging for debugging purposes.

Now, let's run Fluent Bit:

```powershell
 & 'C:\Program Files\fluent-bit\bin\fluent-bit.exe' -c 
 'C:\Program Files\fluent-bit\conf\fluent-bit.conf'
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FXNigi2ACIWJTybIjEWNd%2FScreenshot(3).png?alt=media&#x26;token=c0f4e22e-b1db-4b49-945b-418e30bcef4a" alt=""><figcaption></figcaption></figure>

We need to duplicate specific lines within the ***`network_sample.log`*** file and save the changes.

Let's confirm whether the logs are successfully being forwarded to ELK.

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FPzMx0HIklSy2urKcyJUW%2FScreenshot.png?alt=media&#x26;token=b56b321c-a4ee-4739-b909-3adac2d4de7f" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FoxxWYCUuIDu222CndvsN%2FScreenshot(4).png?alt=media&#x26;token=2168ee78-6ef7-47da-b429-5db68b541755" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/build-elk-lab/configure-fluent-bit-to-send-logs-to-elk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.