Filebeat -> logstash -> SIEM

Hi,

I'm trying to put together a pilot with ELK plus Qradar. The ELK part works like a charm, but I have some issues on Qradar side. This is heavily relies on proper syslog fields, but unfortunately when I forward logs received on beats input using logstash, important fields (like $srchost, $timestamp) are missing.

I thought, it is no problem, I can put together a proper syslog message using the mutate filter, but it seems I cannot access fields in beats. Any idea for a proper mutate filter?

This is what I've tried

filter {
mutate {
;; add_field => ["syslogmsg", "<%{priority}>%{timestamp} %{logsource} %{program}[%{pid}]: %{message}"]
add_field => ["syslogmsg", "<%{syslog.priority}>%{message}"]
}
}

Thanks
L:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.