ArcSight module CEF input parsing (over TCP) [SOLVED]

Good afternoon folks! I do not know if what I had found works for myself (only) is something really useful for everyone, or it just dipends from the particular environment I'm working in. Anyway, I'm going to share it with you all: take what might be of interest :wink:

Using the stack for log management, I was moving from ArcSight events ingestion in UDP to a TCP flow (using Logstash). I've encountered several corrupted parsed events (investigated on Kibana). There were a clear mismatch betweeen field and value (in example, the field "OS" containing an IPv4 or other random/insignificant log snippet). So, I tried to use the following parser, obtained from the Elasticsearch ArcSight module
input { tcp { codec => cef { delimiter => "\r\n" } port => xzy } }
This code portion never worked for me (the module never parsed/showed an event, like wasn't running at all). So I've extracted a network dump of the TCP streaming I was receiving (from ArcSight to Logstash), and I found that only \n was needed from Logstash to correctly parse the TCP-CEF flow:
input { tcp { codec => cef { delimiter => "\n" } port => xzy } }
This change solved the parsing problem for me. Hope this could help anyone else.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.