Logging — WIND

Classification: CONFIDENTIAL — Internal Use Only

WIND (192.168.120.4) runs the ELK stack: Logstash ingests rsyslog streams from SKY and RAIN, Elasticsearch indexes and retains them, and Kibana provides search and dashboards.

---

Service Overview

Service	Port	Access
Logstash (input)	5140	192.168.120.0/23
Elasticsearch	9200	10.8.0.0/28 (mgmt)
Kibana	5601	Management network only

---

Log Pipeline

SKY rsyslog  ─┐
               ├──► TCP :5140 ──► Logstash ──► Elasticsearch ──► Kibana
RAIN rsyslog ─┘

SKY and RAIN use persistent queues (10,000 messages) so logs are not lost if WIND is briefly unavailable.

---

Index Retention (90 days, daily rotation)

Index	Contents
wdc-logs-YYYY.MM.DD	All logs
dns-logs-YYYY.MM.DD	BIND named logs
dhcp-leases-YYYY.MM.DD	ISC DHCP lease events (CIS 1.3)
auth-logs-YYYY.MM.DD	SSH and sudo auth (CIS 5.2)
firewall-drops-YYYY.MM.DD	iptables/firewalld drops (CIS 12.1)

---

Post-Change Checklist

Mandatory after every config change

1. sudo aide --update && sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
2. Log change to /var/log/asset-inventory.log

See the full guide: sun-wind-monitoring-logging.md

---

Logging · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only