How can i send logs from Elastic to another SIEM?

Good morning,

We have installed elastic-agents throughout our environment with everything setup for filebeat and metricbeat monitoring. And now i'm trying to understand how can i send logs to another SIEM?

Hi @Ck1f,

Welcome to the community! I assume you're currently ingesting the events to Elasticsearch using the agent at the moment. Which SIEM are you trying to send to?

Elastic agents can send data to Elasticsearch or Logstash. Logstash supports plugins for different outputs.
I assume you want to send data to Elastic SIEM which is part of Kibana Security, so send data to Elasticsearch and view it in Kibana Security.

My company is testing now different SIEM to choose one. And we want to use Elastic as a hub where we collect logs and send them to others.

Ok. Without knowing how the SIEM's ingest data it sounds like @Rios's suggestion of using Logstash with an appropriate output plugin is probably a good place to start.

ok, so i made some research about this. And now i have question on a related topic. So if i had system with one main server and around 20 different endpoints, should i install on all endpoints filebeat or i can just collect logs from main server about all endpoints?

Hi @Ck1f ,

If you're collecting logs located on each endpoint using filebeat I would expect you would need filebeat installed on each endpoint. What kind of logs are you trying to capture?

Or you can send by syslog to FB or LS, but "someone" should read and send via syslog or TCP. If endpoints has ability to forward logs as firewalls(for instance Palo Alto) , you don't need FB or EA.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.