I'm trying to understand the connection between the Logstash ArcSight and Filebeat CEF Modules. What I've gathered from the documentation for each, the Logstash ArcSight module will set up and configure dashboards in Kibana to analyze security data pulled in from ArcSight, but doesn't seem like it does any mapping to the Elastic Common Schema. The Filebeat CEF Module, however, does convert CEF formatted data into the ECS, which would enable the use of the SIEM and Machine Learning plugins. Is it an either/or proposition, or is it possible to take advantage of both by pushing data from ArcSight via the CEF module to Logstash and then to the cluster? Does one negate the need for the other? I can't seem to find any information that links the two together and I'm just trying to get my head around it.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.