I'm new to elastic. I'm using filebeat v8.5 and I have enabled some modules example: IIS, Checkpoint and few others which are working great. I also would like to create a new filebeat module for a specific device which is able to send syslog-JSON. Such module doesn't exists (or at least I couldn't find it). What I don't know is how the configured modules will make use of the right ingest-pipeline on Elastic. What I found , for example the IIS module config, are the config details of pipeline that will be used when execute the filebeat.exe with the 'setup' command but I couldn't find where such pipeline is defined in the module config itself.
Input Example UDP and note all the common options are
- type: udp
pipeline: "my-pipeline" <!-- This will call your pipeline
If I were you I would get the input working first without a pipeline ... see what the data looks like and then work on the ingest pipeline. Pipelines take a few minutes of learning, but once you get the hang you will be fine. There are ways to test / simulate them etc.
Hope this helps you get started, ... so get started and come back with some more questions.
When you come back show us samples of your data and what you want and perhaps we can help.
Basically the module just internally does what I showed.. it set the pipeline..
I have not looked specifically at the CEF module the most likely when you see three like that it calls the base pipeline and then with some processing it figures out if it needs to call one or both of the other pipelines.
You certainly can copy pipelines and edit them in Kibana
If you give samples of your audit logs, perhaps we can help.