Hi All,
We currently use ELK in the following way
winbeats,filebeats,syslog -> logstash ingest nodes -> kafka cluster -> logstash grok nodes -> Elastic cluster
We have a requirement to send winbeats logs to our security SIEM and they are after the Raw windows events logs.
for filebeats and syslog we are subscribing to our kafka bus to send the appropriate data but for windows events logs this is not the same as sending the raw event log.
My question is has anyone written some logstash rules to convert the winbeats logs back to a raw event i could send via a tcp stream to our SIEM.
The other option we have which is a bit more work is to setup a WEC for our windows server events and split a stream to SIEM and ELK from here but would prefer if we can send via our current collection method.
Any suggestions appreciated.
Thanks in advance