we're planning on using Logstash as a central shippier to send logs to a SIEM (qradar in this case) & Logstash.
Qradar however doesn't want to automatically parse these events as it doesn't recognize the source (it sees the logstash as the source instead of the original source).
Please note that this is a community contributed codec that is not maintained nor tested by Elastic. As such we cannot provide support for that plugin.
currently it's still not working for us.
I managed to send the messages towards Qradar, but the auto-parsing doesn't work.
I'm asking IBM the reason for this.
We took the approach of stripping the logstash headers and pass the raw message to Qradar. This seemed to enable the auto-parsing. For example we were able to get SEPM logs to pass and auto parse.
We are trying to play with the headers and a syslog output instead of a udp output to Qradar.
You want to try something like this. Where you want to just catch and pass the message forward. The ASA though gets a little funky so you have to do a grok match and then a syslog output.
filter {
if "syslog" in [tags] {
grok {
match => {"message" => "(?.*)"}
}
}
if "%ASA-" in [message] {
grok {
match => { "message" => "%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{IP:host} : %ASA-%{GREEDYDATA}" }
add_tag => "ASA"
}
}
}
output {
if "ASA" in [tags]
{
syslog
{
host => "[destination]"
port => "514"
}
}
else
{
udp
{
host => "[destination]"
port => "514"
codec => line { format => "%{syslog}" }
}
}
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.