I installed Security onion with ELK to monitor enterprise network. I want to send Cisco Firewall logs , IPS, F5 and antivirus logs to logstash. I've already sent them however, I'm facing two issues.
1- non of them are parsed correctly ( done nothing to parse them). I just sent them as syslog and now they are searchable in the message field. how can I parse them all at once?
2- ELK IDS with zeek and others do not know that they are antivirus logs or firewall logs, system doesn't correlate them to generate alerts or anything, I searched for plugins that support these systems but I got nothing, how can I make them know to the IDS so it takes them into consideration before making an alert? Like a SIEM. what am I missing here?
Still need answers
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.