Skip to content

Documentation for setting up an all-in-one syslog filebeat relay server with VPN hosted on Azure.


Logshipper

Below are instructions for configuring multiple filebeat processes to listen for Syslog over multiple ports and sending those logs securely to a kibana service (in our case Perch).

The hardware used are Meraki firewalls configured with a Site-to-Site VPN connection directly to the server.

Follow a previous document here to do the initial SELinux setup.

Prereqs

This document assumes you've setup SELinux on Debian and are in passive mode.

VPN Server Setup

Initial Azure Configuration

  • Navigate to the Network Interface of the VM and Enable IP Forwarding.
  • Open UDP Port 500 and UDP Port 4500 in the network security group.
  • Change the private IP address from Dynamic to Static (usually 10.).
  • Create a Route Table in the resource group.
  • Add a route to match the firewall private subnet to the VM private IP address.
Client Subnet: 192.168.100.0/24
VM IP: 10.0.0.4
  • Associate the Route Table Subnet with the VM subnet.

Debian Configuration

  • Install Strongswan
sudo apt install strongswan -y
  • Set the following kernel parameters in /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1
  • Load the sysctl file.
sudo sysctl -p /etc/sysctl.conf
  • Edit the global configuration /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no

conn %default
    ikelifetime=1440m
    rekeymargin=3m
    keyingtries=%forever
    keyexchange=ikev1
    authby=secret
    dpdaction=restart
    dpddelay=30

conn client1
    left=%defaultroute
    leftsubnet=10.0.0.0/24 #Azure VM Subnet
    leftid=20.xxx.xxx.28 #Azure VM Public IP
    leftfirewall=yes
    right=203.xxx.xxx.242 #Remote Meraki MX IP
    rightsubnet=192.168.100.0/24 #Remote MX Subnet
    rightid=203.xxx.xxx.242
    auto=add
    ike=aes256-sha1-modp1024
    esp=aes256-sha1
    keyexchange=ikev1
  • Generate a Pre-Shared key
head -c 24 /dev/urandom | base64
  • Set the IPSec Pre-Shared Key by editing /etc/ipsec.secrets
# VMPublicIP   MXPublicIP
20.xxx.xxx.28 203.xxx.xxx.242 : PSK "YourPreSharedKey!"
  • Start the service on boot.
sudo systemctl enable strongswan-starter
  • Start the service.
sudo systemctl start strongswan-starter
  • Start the VPN.
sudo ipsec restart
  • Start the VPN tunnel
sudo ipsec up client1
  • Get the status of the tunnel
sudo ipsec status

Meraki Configuration

  • Setup a new Site-to-Site configuration.
  • Select IKEv1
  • Use an IPSEC Policy with the following settings.
Preset: Custom
Phase 1
Encryption: AES 256
Authentication: SHA1
Diffie-Hellman group: 2
Lifetime: 28800
Phase 2
Encryption: AES 256
Authentication: SHA1, MD5
PFS group: Off
Lifetime: 3600
  • Set the Private subnets to the same as the VM private subnet.
  • Set the availability to All networks or a tag specified for just the firewall.
  • Check the connection of the VPN using the following command.
sudo ipsec status

You should now see a connection established.

Additional Client VPN Configuration

  • Add a route to the route table as client1.
  • Add additional conn client2 block to /etc/ipsec.conf.
conn client2
    left=%defaultroute
    leftsubnet=10.0.0.0/24 #Azure VM Subnet
    leftid=20.xxx.xxx.28 #Azure VM Public IP
    leftfirewall=yes
    right=202.xxx.xxx.242 #Remote Meraki MX IP
    rightsubnet=192.168.200.0/24 #Remote MX Subnet
    rightid=202.xxx.xxx.242
    auto=add
    ike=aes256-sha1-modp1024
    esp=aes256-sha1
  • Generate a Pre-Shared key
head -c 24 /dev/urandom | base64
  • Set the IPSec Pre-Shared Key by editing /etc/ipsec.secrets
# VMPublicIP   MXPublicIP
20.xxx.xxx.28 203.xxx.xxx.242 : PSK "YourPreSharedKey!"
  • Configure the connection on the Meraki FW.
  • Bring up the connection.
sudo ipsec restart
sudo ipsec up client2
  • Validate the connection status.
sudo ipsec status

Setup and configure Filebeat

  • Find a link to the latest version of Filebeat from Debian: Download Filebeat
  • Download the Filebeat deb on the Debian server.
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.3.1-amd64.deb
  • Install Filebeat.
sudo dpkg -i filebeat-8.3.1-amd64.deb
  • Enable the system module.
sudo filebeat modules enable system
  • Enable the cisco module
sudo filebeat modules enable cisco
  • Create the config directory.
sudo mkdir /etc/filebeat/configs
  • Create the client configuration for Filebeat.
  • Edit /etc/filebeat/configs/client1.yml
  • Change the syslog_port to an unused port.
filebeat.config:
	modules:
		enabled: true
		path: modules.d/*.yml
		reload.enabled: true
		reload.period: 10s
output.elasticsearch:
    hosts: ["ingest.perchsecurity.com:443/elastic"]
    headers:
    X-Perch-Header: "Perch API Key"
    protocol: "https"
    compression_level: 5
	allow_older_versions: true
migration.6_to_7.enabled: true
filebeat.modules:
- module: cisco
	meraki:
	enabled: true
	var.syslog_host: 0.0.0.0
	var.syslog_port: 42000
	var.log_level: 5
  • Create the Filebeat data directory for clients.
sudo mkdir -p /opt/filebeat/client1
  • Test the configuration
sudo filebeat -e -c /etc/filebeat/configs/client1.yml --path.data /opt/filebeat/client1
  • Create the service file
sudo vi /etc/systemd/system/filebeat-client1.service
[Unit]
Description=Filebeat for Client1

[Service]
User=root
WorkingDirectory=/usr/share/filebeat
ExecStart=filebeat -e -c /etc/filebeat/configs/client1.yml --path.data /opt/filebeat/client1
Restart=always

[Install]
WantedBy=multi-user.target
  • Reload the daemon service
sudo systemctl daemon-reload
  • Enable and start the service
sudo systemctl enable filebeat-client1.service && sudo systemctl start filebeat-client1.service

Adding additional clients

  • Create a new client data directory.
sudo mkdir /opt/filebeat/client2
  • Copy the existing Filebeat config to a new client.
sudo cp /etc/filebeat/configs/client1.yml /etc/filebeat/configs/client2.yml
  • Edit the new config and change the syslog port and API key.
  • Copy the filebeat service file from another client.
sudo cp /etc/systemd/system/filebeat-client1.service /etc/systemd/system/filebeat-client2.service
  • Edit the new service file and specify a different config and client data directory.
  • Reload the daemon, enable the service, start the service.
sudo systemctl daemon-reload && sudo systemctl enable filebeat-client2.service && sudo systemctl start filebeat-client2.service

Send Meraki Logs

  • Navigate to Network Wide -> General -> Configure in the Meraki Dashboard.
  • Add a syslog server for the LAN IP of the log shipper server.
  • Select all logs.
  • Validate the logs are ingesting into your logging software.

Post Setup

  • Take the necessary steps in SELinux to button up the system.