Version Affected: 9.2+
How to configure Filebeat to use a proxy server when the IdP lacks a direct connection to the internet and access is only allowed via a proxy.
By default Filebeat is configured to directly communicate with us-audit.secureauth.com on port 443. When direct access isn't available, Filebeat can be configured to use a SOCKS5 proxy server instead.
Note that Filebeat cannot use an HTTP proxy, which is the more common type, typically used by browsers. It must be a SOCKS5 proxy.
1. Stop the SecureAuth Filebeat service in the services.msc console.
2. Open the the Filebeat configuration file in a text editor, located here:
C:\Program Files\SecureAuth Corporation\FileBeat\filebeat.yml
3. Locate the following section:
----------------------------- Logstash output --------------------------------
4. Below the line that says:
insert the following lines, replacing the IP address and port with the correct values for the environment:
# SOCKS5 proxy server URL
This is what the resulting file should look like:
5. Save the file and start the SecureAuth Filebeat service.
If Filebeat is configured to use an HTTP proxy instead of a SOCKS5 proxy then the following error will be seen in the Filebeat log:
ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://us-audit.secureauth.com:443)): proxy: failed to read greeting from SOCKS5 proxy
If a SOCKS5 proxy is not available for use then the only option is for Filebeat to use direct access, by removing the lines added in Step 4 above and configuring firewalls to allow direct access from the IdP to us-audit.secureauth.com on port 443.
For a full list of IP addresses to add to the allow list see here:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.