I'm trying to configure the Cylance module in Filebeat, but it is not extracting any fields from log messages, and all documents have the value dissect_parsing_error in the log.flags.
I have setup a filebeat collector like so:
filebeat.modules:
- module: cylance
protect:
enabled: true
var.input: tcp
var.syslog_host: 0.0.0.0
var.syslog_port: 9508
In Cylance, I have set the Syslog/SIEM to other, protocol to TCP, IP to the Filebeat machine, port to 9508 and am able to send events to the machine.
The logs appear in this format:
<44>1 2021-01-26T22:08:12.478000Z sysloghost CylancePROTECT - - - Event Type: ScriptControl, Event Name: Alert, Device Name: device-hostname, File Path: c:\somefile.vbs, SHA256: <redacted>, Interpreter: ActiveScript, Interpreter Version: 1.0.0.0, Zone Names: (), User Name: username, Device Id: device-guid, Policy Name: policyname
Note: All other event types fail to process as well
In the beats repository the logs appear to be different to what I am seeing from CylancePROTECT (note everything before "CylancePROTECT Event Type" is different): https://github.com/elastic/beats/blob/2988c492f1cfad82c2a72fdb77a0114259e92402/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json
I have tried all SIEM application types in Cylance, and all exhibit the same issues.
It seems that processing for Cylance logs is being done by the Filebeat agent instead of Elasticsearch as well, so I can only see a couple options to resolve this, but wanted to check whether I am missing something:
- Modify the module config at the filebeat agent to support the log format that Cylance is actually sending (these files https://github.com/elastic/beats/tree/2988c492f1cfad82c2a72fdb77a0114259e92402/x-pack/filebeat/module/cylance/protect/config)
- Create an ingest pipeline to replicate the filebeat processor and apply it to everything from the filebeat agent
- I am misunderstanding the module and it is not actually receiving events from CylancePROTECT itself and is getting them from something else