I have custom app with authentication log(consist of login success or failure activities, and logout activities), can I ingest these log directly into log.system.auth-* ?
After ingest direct to log.system.auth-*, will the prebuild Detection Rules works on those Authentication related rules ?
Hello,
No, you should not ingest custom logs into the logs-system.auth data stream, this data stream is used by the System integration in Elastic Agent to get logs from the system and parse it.
It expected specific types of message.
For custom logs you should use a custom data stream depending on how you will get your data and send it to Elasticsearch.
If you provide more context on where is your data and how you plan to get it, it may be possible to give directions on how to do it.
Hi Leandro, thanks for the advice on "logs-system.auth".
So far the customer only mentioned to abt "custom app" send authentication log to NXLog, then using NXLog to connect direct elasticsearch APi(send as json format).
Basically, customer want to utilize existing index(Datasource) to run Security Detection rules (related to authentication), they dun want to create custom rule(for their custom app).
But i guess this is not a good way, as i check the existing prebuild Detection rules (relate to authentication), they are mainly used for Windows or Linux platform.
For the proper way, we should have custom app data stream, then duplicate the existing rules(relate to authentication), then modify the query to run on customapp data stream, right ?
That's not how things work, if this is a custom data, it should go into a custom data stream, the System data stream is used to have System logs from Windows or Linux, putting custom data in these indices may lead to issues and impact the data being collected from System, if they exist.
The pre-built detection rules are create targeting specific data, the system ones will look for system events from windows or linux.
Yes, you should ingest the data into a custom data stream and then create a custom detection rule looking to this data, you do not need to duplicate existing rule, it may be easier to create from scratch.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.