Arcsight Logs do not Ouput to Kibana

vaz1108 · July 7, 2017, 7:56pm

Hi Experts,

I need some help. I have configure a conf file for logstash to listen on port 8443 to received ArcSight logs on cef format. I can see the connection from the Archsight connector to the the elk server via tcpdump. However, I can't see the logs been received by logstash.
Logstash cof file:

input {
tcp {
# The delimiter config used is for TCP interpretation
codec => cef { delimiter => "\r\n"}
port => 8443
type => syslog
}
}

filter {

To map the attacker Geo IP if plausible

geoip {
source => "sourceAddress"
target => "source"
}

To map the target Geo IP if plausible

geoip {
source => "destinationAddress"
target => "destination"
}

To map the log producing device Geo IP if plausible

geoip {
source => "deviceAddress"
target => "device"
}

}

output {

elasticsearch {
template_name => "cef"
template => "/etc/logstash/cef_template.json"
template_overwrite => false
index => "cef-%{+YYYY.MM.dd}"
#password => "changeme"
#user => "elastic"
}

magnusbaeck · July 11, 2017, 3:09pm

Have you tried simplifying the setup by using a stdout { codec => rubydebug } output instead of the elasticsearch output? Have you looked in the Logstash logs for clues?

system · August 8, 2017, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need to config codec-cef as output Logstash	1	869	October 22, 2017
ArcSight module CEF input parsing (over TCP) [SOLVED] Logstash	1	534	August 8, 2019
Sending logs from Logstash to ArcSight via Syslog CEF Logstash	3	2526	March 28, 2019
Logstash CEF output 5.x vs 2.x Logstash	3	760	April 18, 2017
Output CEF Logstash	1	1748	December 25, 2017

Arcsight Logs do not Ouput to Kibana

To map the attacker Geo IP if plausible

To map the target Geo IP if plausible

To map the log producing device Geo IP if plausible

Related topics