Fleet Agent - CEF Integration - Is there any way to listen on TCP?

I'm ingesting CEF based logs from another SIEM and utilizing the "Common Event Format (CEF)" integration.

It is only able to receive CEF events via input file, or via UDP listener. There is no TCP listener option.

As I understand it, it's built on Filebeat. I've attempted to modify the configuration files manually to try flick it over to TCP, but no luck.

Has anyone got any ideas or experience with this? Or is there a recommended workaround method where I could stand up a listener (preferably managed by Fleet if possible), that sits on the TCP port and forwards to the Fleet Agent's UDP listener port? (If not I'm thinking of trying to deploy an ArcSight SmartConnector to act as a forwarder, but I'd rather not have to go down that path.)

You will need to open an issue on github in the integrations repository so elastic can implement the tcp input in this integration.

i'm not sure it is possible to add a new input to an integration without releasing a new version of it.

1 Like

Thanks for your response. I've noticed a couple of stale issues on github re. this matter from a few years back. Can't hurt to bring it to their attention again. It would make life so much easier.
Cheers!

Just an FYI to anyone who may stumble across this in future, I managed to find somewhat of a solution: Processors :partying_face:

Using the custom TCP Fleet integration, and adding the below decode_cef processors as per here, I've managed to start ingesting CEF logs via TCP.

You can utilize the builtin assets from the CEF integration such as pipelines and dashboards as well by modifying other integration parameters. And copy the index & mapping settings from the CEF package component templates to a custom one and set in the integration settings.

Processors JSON

[
  {
    "decode_cef": {
      "field": message
    }
  }
]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.