Saudi airline is based out of King Abdulaziz International Airport in Jeddah. It is owned by Saudi flag carrier Saudia founded in 2016. The airline currently serves domestic destination with considerable number of Airbus carriers. The venture is part of 2020 Transformation Strategy, which aims to elevate the group’s units into world-class status by 2020.
The Endpoint devices like WLAN Controller, Routers, Switches sends syslog to the centralized servers. Filebeat which is installed on the centralized server fetches the logs from the stored files and send it across to ELK Stack. We can also utilize the power of logstash to parse the data or simply use Filebeat modules to parse the data. Filebeat is also been used to fetch audit logs from Microsoft Exchange using the o365 Module.
Linux Servers are using metricbeat and auditbeat to send resource and audit trails to ELK Stack. Similarly, Windows are using Winlogbeat to ship the windows events to the stack.
ELK is running is a SAAS solution. Auditbeat and Metricbeat have been installed on Linux machines to send Audit related logs and metrics to ELK Stack. Since the VMs are deployed on cloud, we use the native cloud services/libraries to deploy these agents out whenever a new VM spins up. WinLogBeat has been installed on Windows to collect Security level Windows Events.
Cisco Devices and WLAN Controller are sending their logs via syslog to a centralized server. Logstash/Syslog-ng could be used to capture these logs. Filebeat agent installed on the syslog server is fetching the logs and parse using the standard modules. Use-case of using syslog-ng is when we need to send same logs to other solutions too.
While are using logstash, then we can capture the logs and define individual pipelines to parse the logs as per the requirements. We have deployed the filebeat on WLAN Controller to capture Access Point related logs. The filebeat can fetch the Access Point Logs stored and can send it directly to the ELK stack or to the logstash, in case we need to parse the logs.
Filebeat O365 module is used to fetch security and audit logs from o365:
- User.Read
- ActivityFeed.Read
- ActivityFeed.ReadDlp
- ServiceHealth.Read
The filebeat has been installed on the centralized server from where it queries the o365 cloud to retrieve the logs. Another way is to stand up an instance in the same environment where o365 is hosted and install the filebeat agent on the instance. For both approaches, we need to configure o365 to add an app and give required permissions so that filebeat can read the logs.