I'm currently setting up an ELK stack and will be forwarding my logs to Logstash. However I also have a requirement to send these logs top a separate SIEM.
Is it possible to do this with logstash? I cant find any posts or documentation that says you can. Was hoping there would be some functionality such as with syslog-ng where you can select multiple destinations. If not I guess i'll just need to handle this by forwarding logs to a syslog server first and using this to to forward to Logstash and the SIEM,.
Was hoping there would be some functionality such as with syslog-ng where you can select multiple destinations.
A Logstash pipeline can have multiple outputs. Unless you specifically configure it otherwise using conditionals, all events will be sent to all outputs.
Exactly, very very flexible. I do recommend you do not send directly to each output but have a queue of your choice between them. Reason is that if you have 4 different outputs that everything gets sent to if one fails the whole processing pipeline of Logstash fails.
LogRhythm (at the time of writing this) uses ES 2.x under the hood. If you want to bypass their own normalization that happens at the Mediator (DP) then you can index directly into ES however they have microservices, one of which is similar to curator.
An ideal method here would be to look at the using the LogRhythm collectors to collect from logstash output.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.