I've set up a Filebeat -> Logstash -> Kibana workflow that it's been working for the last 2 years.
In the most recent Elastic package versions, new features are available, such as Filebeat modules, Kibana SIEM etc.
Some of the current log parsing can be done with those Filebeat modules, for example Apache, Nginx... But ModSecurity, Postfix and other custom logs need to be parsed with Logstash grok filters.
As far as I know, the Osquery module (for example) needs to be shipped directly to ES, otherwise the Kibana SIEM will not identify the index / fields properly. But Filebeat only accept one output definition, so other logs that depends of Logstash grok parsing will not be processed.
What is the best approach to be able to work with all kind of logs?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.