Fleet CEF Processor

bm11100 · February 9, 2022, 10:49pm

Hello,

We are trying to use the CEF integration to parse syslogs sent over from SentinelOne, but are getting an error message on processing which appears to be due to the date format.

Error - Text '2022-02-09 00:25:02,862' could not be parsed, unparsed text found at index 10

Is there a simple fix to parsing this correctly that I could try?

Also, any plans on adding the ability to specify an event dataset name other than cef, like with other integrations (UDP).

Thanks

kvch · February 10, 2022, 5:22pm

How did you configure it? Integration from Kibana or from Beats?

bm11100 · February 10, 2022, 6:44pm

This is using the integration from Fleet. Using the logs-cef.log-1.3.1 pipeline.

{
  "index": {
    "default_pipeline": "logs-cef.log-1.3.1"
  }
}

kvch · February 11, 2022, 10:27am

Could you please open an issue here? Sign in to GitHub · GitHub

bm11100 · February 11, 2022, 1:03pm

Yea I can but is there something I can do now to get it working?

kvch · February 11, 2022, 2:19pm

Well, you can try to edit manually the Ingest pipeline to parse the timestamp correctly, but reporting the bug should be a simpler solution.

bm11100 · February 11, 2022, 3:20pm

Created an issue Fleet CEF Integration Parsing Timestamp Error · Issue #2676 · elastic/integrations (github.com)

system · March 11, 2022, 5:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fleet Agent - CEF Integration - Is there any way to listen on TCP? Elastic Agent filebeat	4	596	December 13, 2022
Filebeat CEF module can't parse event as syslog rfc3164 Beats filebeat	3	1733	April 30, 2020
Filebeat CEF Module Beats filebeat	9	2153	December 3, 2019
Unable to parse Timestamp on CEF LOGS Beats filebeat	2	756	December 7, 2021
Time Zone in CEF FB Module Beats filebeat	14	2091	February 18, 2020

Fleet CEF Processor

Related topics