As I understand it, it's built on Filebeat. I've attempted to modify the configuration files manually to try flick it over to TCP, but no luck.
Has anyone got any ideas or experience with this? Or is there a recommended workaround method where I could stand up a listener (preferably managed by Fleet if possible), that sits on the TCP port and forwards to the Fleet Agent's UDP listener port? (If not I'm thinking of trying to deploy an ArcSight SmartConnector to act as a forwarder, but I'd rather not have to go down that path.)
Thanks for your response. I've noticed a couple of stale issues on github re. this matter from a few years back. Can't hurt to bring it to their attention again. It would make life so much easier.
Cheers!
Just an FYI to anyone who may stumble across this in future, I managed to find somewhat of a solution: Processors
Using the custom TCP Fleet integration, and adding the below decode_cef processors as per here, I've managed to start ingesting CEF logs via TCP.
You can utilize the builtin assets from the CEF integration such as pipelines and dashboards as well by modifying other integration parameters. And copy the index & mapping settings from the CEF package component templates to a custom one and set in the integration settings.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
