# Configure Fluent-Bit to send logs to ELK

## Prerequisites:

Fluent-Bit: <https://docs.fluentbit.io/manual/installation/windows#installing-from-exe-installer>

Let's begin by installing Fluent-Bit on Windows.

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FvBiIB0VeAgCqRkYwDobd%2FScreenshot.png?alt=media&#x26;token=4029ed9d-42a2-43d3-b730-e588e4b5b3fe" alt=""><figcaption></figcaption></figure>

We have a log file named ***`network_sample.log`*** that we need to be ingested into the ELK stack. To ensure accurate data extraction, we will begin by crafting an appropriate regular expression to parse the required information.

```regex
SRC=(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+DST=(?<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.
\d{1,3})\s+PROTO=(?<protocol>\w+)\s+SPT=(?<src_port>\d+)?\s+DPT=(?<dst_port>\d+)?\s+
LEN=(?<lenght>\d+)?\s+ACTION=(?<action>\w+)
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FQFQo9kFZ7vxqduHwTULo%2FScreenshot(2).png?alt=media&#x26;token=b5b71d54-a21f-4241-b116-233078f90aeb" alt=""><figcaption></figcaption></figure>

A line does not match the current regular expression. Let's create a new one to accommodate it.

```regex
SRC=(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+DST=(?<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.
\d{1,3})\s+PROTO=(?<protocol>\w+)\s+TYPE=(?<type>\w+)\s+CODE=(?<code>\d+)\s+ID=(?<id>\d
+)\s+ACTION=(?<action>\w+)
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FSqv2R7ZReQJQ2iSLBjOl%2FScreenshot(3).png?alt=media&#x26;token=bbeabac8-cedb-4836-8f64-d0c1336e73cb" alt=""><figcaption></figcaption></figure>

Next, we need to modify the **`parsers.conf`** file located in **`C:\Program Files\fluent-bit\conf`.**

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2F7gwwtZ1mWmIrUqAFudSH%2FScreenshot(14).png?alt=media&#x26;token=590e9a31-6254-4956-a59e-9ea9edba39c2" alt=""><figcaption></figcaption></figure>

Next, we need to configure the `fluent-bit.conf` file, located at `C:\Program Files\fluent-bit\conf`, to forward logs to the ELK stack.

```yaml
[INPUT]
    Name         tail
    Parser       firewall-logs-1
    Path         C:\Users\NV\Downloads\network_sample.log
    Tag          firewall.logs-1

[INPUT]
    Name         tail
    Parser       firewall-logs-2
    Path         C:\Users\NV\Downloads\network_sample.log
    Tag          firewall.logs-2
    
[OUTPUT]
    name    	  es
    match   	  *
    Host    	  192.168.204.146
    Port    	  9200
    Match   	  *
    HTTP_User     elastic
    HTTP_Passwd   =Op+25maKY3GqC=IrV7m
    tls           on
    tls.verify    off 
    Trace_Output  on 
    Suppress_Type_Name on
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FrBned5QnrANzWFn99UAt%2FScreenshot(2).png?alt=media&#x26;token=0ebec6cf-5d6c-450a-889c-8322764a1b67" alt=""><figcaption></figcaption></figure>

This configuration is for **Fluent Bit** to read logs from a file (`C:/Users/NV/Downloads/network_sample.log`) and forward them to an **Elasticsearch** instance.

* **`name tail`**: The `tail` input plugin reads log files line by line, similar to the `tail -f` command in Linux.
* **`parser firewall-logs-1`**: Defines the parser used for processing log entries. The `firewall-logs` parser is specified in the `parsers.conf` file to extract structured fields from the logs efficiently.
* **`path C:/Users/NV/Downloads/network_sample.log`**: The path to the log file to monitor. Fluent Bit will read new lines appended to this file.

For the **`OUTPUT`**:

* **`name es`**: The `es` output plugin sends logs to Elasticsearch.
* **`Host 192.168.204.146`**: The IP address or hostname of the Elasticsearch server.
* **`Port 9200`**: The port where Elasticsearch is listening (default is 9200).
* **`tls on`**: Enables TLS/SSL encryption for communication with Elasticsearch.
* **`tls.verify off`**: Disables certificate verification.
* **`Trace_Output on`**: Enables verbose logging for debugging purposes.

Now, let's run Fluent Bit:

```powershell
 & 'C:\Program Files\fluent-bit\bin\fluent-bit.exe' -c 
 'C:\Program Files\fluent-bit\conf\fluent-bit.conf'
```

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FXNigi2ACIWJTybIjEWNd%2FScreenshot(3).png?alt=media&#x26;token=c0f4e22e-b1db-4b49-945b-418e30bcef4a" alt=""><figcaption></figcaption></figure>

We need to duplicate specific lines within the ***`network_sample.log`*** file and save the changes.

Let's confirm whether the logs are successfully being forwarded to ELK.

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FPzMx0HIklSy2urKcyJUW%2FScreenshot.png?alt=media&#x26;token=b56b321c-a4ee-4739-b909-3adac2d4de7f" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2537271824-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FIswWWP3l0rGuQmG2WUcr%2Fuploads%2FoxxWYCUuIDu222CndvsN%2FScreenshot(4).png?alt=media&#x26;token=2168ee78-6ef7-47da-b429-5db68b541755" alt=""><figcaption></figcaption></figure>