Check Logstash is running
This is done by opening a terminal on the collector and running the following command to check the status of the Logstash service
sudo systemctl status logstash
This will return a result such as the below:
logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-06-27 10:00:23 BST; 1 day 3h ago
Main PID: 467 (java)
Tasks: 49 (limit: 2317)
Memory: 561.3M
CPU: 8min 42.076s
If Logstash is not running (Active: active (running)), you can start it by running the following command:
sudo systemctl start logstash
Check connectivity to the Defense.com SIEM platform
The next thing to check is if you're still able to get a connection through to our SIEM platform by running the following netcat command:
nc -v kafka-bootstrap.defense.com 443
Obtain a copy of the Logstash logs
A copy of the logstash logs are very useful, as this gives us an indication as to the cause of the problem. Please provide a copy of the logstash-plain.log file, this is located at
:
/var/log/logstash/logstash-plain.log
Check public IP address of your collector
Sometimes a change of Internet Service Provider can happen, or your public IP address can change. To ensure we're whitelisting the current IP address, please check and provide us with your public IP address by running the following command in the terminal:
curl -4 ifconfig.co
Check your keystore.jks file is valid
There can sometimes be issues with the Logstash certificate (keystore.jks file).
You can check if the keystore.jks file is valid by following the steps in our support guide at:
Check your internal SSL Certificate is valid
Finally, we need to check your internal SSL Certificate is still valid. You can do this by running the following command from the terminal:
openssl x509 -in /path/to/cert -enddate
Replace /path/to/cert with the path to your Certificate