Hi all,
I am using Custom UDP integration to do CEF log ingestion. I cannot use CEF integration due to limitations of that integration. The decode_cef processor is not available in the pipelines. What is the best way to do CEF parsing with custom UDP integration without writing a costly and detailed custom pipeline?
The decode_cef is a Filebeat processor, not an Ingest processor, to use it in the Custom UDP integration you need to add it to the Processor lists in the Advanced options part.
What limitations? The Custom CEF integration is basically a custom tcp, custom udp or custom log integration with some built-in processors, like a rename to rename message into event.original and a decode_cef processor.
The udp input for the Custom CEF integration is defined here.
Can you share the agente configuration after you created it? You normally have the option to add a custom ingest pipeline in all integrations, but sometimes this only shows up after the integration is created.
Also, if you use a custom dataset name like logs-custom.dataset-namespace, you need to have a custom template where you can set a custom ingest pipeline.
I opened a case to support about it. The problem seems related to this:
Basically, whenever we change the dataset name to something that default index template (logs-cef.log), index pattern logs-cef.log-* doesn't cover, this dataset/indices will never get the expected ingestion pipelines.
I tried to hange the dataset name to something that can match the index pattern, for example: logs-cef.log-prod. By doing this, the agent stopped ingesting events. Only by renaming the dataset name back to cef.log did events start coming in again. I had no problems with Custom UDP integration.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
