Hi everyone,
I am considering to try out ELK siem with audit logs but it appears the source of the audit logs has to be through auditbeat daemon provided by ELK, but i have my own daemon with additional functionalities that i need to solve some of the challenges that my environment brings in, so i have to be able to use my own daemon for this set up.
I was wondering if it is it possible for me to use my own daemon as a log source instead of auditbeat.
kind regards
Altug_Bozkurt,
Welcome to the community!
Yes you can, but you'll need to have the data written in ECS format to get the most out the SIEM. You could start with the SIEM fields here
(https://www.elastic.co/guide/en/siem/guide/current/siem-field-reference.html) or take a look at the auditbeat fields (https://www.elastic.co/guide/en/beats/auditbeat/current/exported-fields.html) as a guideline to rename your custom data. Custom field guidelines for ECS (for data not currently covered by ECS) can be found here (https://www.elastic.co/guide/en/ecs/current/ecs-custom-fields-in-ecs.html)
thanks
-d
Dain Perkins
SA @ Elastic
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.