Good afternoon, all! I first have to say I am very new to ElasticSearch, so I would appreciate some assistance here.
I have a firewall that sends a few different types of logs for the same event, but in a different category. For instance, if someone connects to a site of ours on port 443, I will see something similar to the following (truncated):
That is fine and dandy, but this does not show what the actual firewall did with the event. The firewall event is a separate log message resembling something like:
I would like to be able to search for (and display) the combined event details so I can not only see the source and destination details, but whether or not the connection was allowed or blocked by the firewall. All related events share a common "session_id" that I would think we could pivot on, but I am not sure how to do this. Any ideas?
Thank you all in advance for the assistance!
EDIT: To note... this is all in the same index.