ELK siem and audit log source options

Hi everyone,

I am considering to try out ELK siem with audit logs but it appears the source of the audit logs has to be through auditbeat daemon provided by ELK, but i have my own daemon with additional functionalities that i need to solve some of the challenges that my environment brings in, so i have to be able to use my own daemon for this set up.

I was wondering if it is it possible for me to use my own daemon as a log source instead of auditbeat.

kind regards

Welcome to the community!

Yes you can, but you'll need to have the data written in ECS format to get the most out the SIEM. You could start with the SIEM fields here
(https://www.elastic.co/guide/en/siem/guide/current/siem-field-reference.html) or take a look at the auditbeat fields (https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields.html) as a guideline to rename your custom data. Custom field guidelines for ECS (for data not currently covered by ECS) can be found here (https://www.elastic.co/guide/en/ecs/current/ecs-custom-fields-in-ecs.html)


Dain Perkins
SA @ Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.