Hi All,
I'd like to ship specific event logs from my Siem to ElasticSearch for further processing. However the output from the Siem is in the leef format and can not be changed.
Has anyone on the lists done this? If you have how did you setup logstash and the grok filter?
Thanks
TimW
I have no experience with leef, however I have captured propieretary formats before using the udp or tcp input plugin and just look at how the message field looks like, then go from there to add a grok filter.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.