Configure Fluent-Bit to send logs to ELK
Prerequisites:
Fluent-Bit: https://docs.fluentbit.io/manual/installation/windows#installing-from-exe-installer
Let's begin by installing Fluent-Bit on Windows.

We have a log file named network_sample.log
that we need to be ingested into the ELK stack. To ensure accurate data extraction, we will begin by crafting an appropriate regular expression to parse the required information.
SRC=(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+DST=(?<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.
\d{1,3})\s+PROTO=(?<protocol>\w+)\s+SPT=(?<src_port>\d+)?\s+DPT=(?<dst_port>\d+)?\s+
LEN=(?<lenght>\d+)?\s+ACTION=(?<action>\w+)

A line does not match the current regular expression. Let's create a new one to accommodate it.
SRC=(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+DST=(?<dst_ip>\d{1,3}.\d{1,3}.\d{1,3}.
\d{1,3})\s+PROTO=(?<protocol>\w+)\s+TYPE=(?<type>\w+)\s+CODE=(?<code>\d+)\s+ID=(?<id>\d
+)\s+ACTION=(?<action>\w+)

Next, we need to modify the parsers.conf
file located in C:\Program Files\fluent-bit\conf
.

Next, we need to configure the fluent-bit.conf
file, located at C:\Program Files\fluent-bit\conf
, to forward logs to the ELK stack.
[INPUT]
Name tail
Parser firewall-logs-1
Path C:\Users\NV\Downloads\network_sample.log
Tag firewall.logs-1
[INPUT]
Name tail
Parser firewall-logs-2
Path C:\Users\NV\Downloads\network_sample.log
Tag firewall.logs-2
[OUTPUT]
name es
match *
Host 192.168.204.146
Port 9200
Match *
HTTP_User elastic
HTTP_Passwd =Op+25maKY3GqC=IrV7m
tls on
tls.verify off
Trace_Output on
Suppress_Type_Name on

This configuration is for Fluent Bit to read logs from a file (C:/Users/NV/Downloads/network_sample.log
) and forward them to an Elasticsearch instance.
name tail
: Thetail
input plugin reads log files line by line, similar to thetail -f
command in Linux.parser firewall-logs-1
: Defines the parser used for processing log entries. Thefirewall-logs
parser is specified in theparsers.conf
file to extract structured fields from the logs efficiently.path C:/Users/NV/Downloads/network_sample.log
: The path to the log file to monitor. Fluent Bit will read new lines appended to this file.
For the OUTPUT
:
name es
: Thees
output plugin sends logs to Elasticsearch.Host 192.168.204.146
: The IP address or hostname of the Elasticsearch server.Port 9200
: The port where Elasticsearch is listening (default is 9200).tls on
: Enables TLS/SSL encryption for communication with Elasticsearch.tls.verify off
: Disables certificate verification.Trace_Output on
: Enables verbose logging for debugging purposes.
Now, let's run Fluent Bit:
& 'C:\Program Files\fluent-bit\bin\fluent-bit.exe' -c
'C:\Program Files\fluent-bit\conf\fluent-bit.conf'

We need to duplicate specific lines within the network_sample.log
file and save the changes.
Let's confirm whether the logs are successfully being forwarded to ELK.


Last updated