Logstash Integration

Overview

Logstash is a server-side data processing pipeline that ingests, transforms, and forwards logs. KYRA MDR can receive logs from Logstash for centralized security monitoring with advanced parsing.

Prerequisites

• A KYRA MDR Collector installed and running
• Logstash 7.x or 8.x installed
• Network connectivity from Logstash to the collector
• Java 11 or later

Configuration

Configure Logstash:

/etc/logstash/conf.d/kyra-mdr.conf

input {
  beats {
    port => 5044
  }
  syslog {
    port => 5514
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}: %{GREEDYDATA:message}" }
    }
  }
}

output {
  tcp {
    host => "<collector-ip>"
    port => 514
    codec => json_lines
  }
}

Restart Logstash:

sudo systemctl restart logstash

Collected Log Types

Log Type	Description	Security Use
Beats Input	Filebeat, Winlogbeat events	Multi-source collection
Syslog Input	Network device syslog	Infrastructure monitoring
Custom Parsing	Grok-parsed structured events	Application security
Enriched Events	GeoIP and DNS enriched events	Threat context
Filtered Events	Security-filtered event stream	Focused threat detection
Metrics	Pipeline processing metrics	Health monitoring

Troubleshooting

No output: Verify output configuration and test connectivity to the collector.

Parsing failures: Use the Grok Debugger to test patterns.

Performance: Allocate at least 4GB heap (-Xmx4g) for production workloads.

Contact kyra@seekerslab.com for support.