I´m new using ELK Stack. I have been parsing log data from Palo Alto Firewall and Cisco Umbrella by using Logstash to index it into Elasticsearch. It was a difficult task, because I have no experience doing it. Now I can see data properly indexed in Elasticsearch.
I also have logs from a Windows Server and Linux using AuditBeat,WinLogBeat and Filebeat.
The problem I have is I only see data from AuditBeat, FIlebeat and Winlogbeat in the SIEM app (overview and hosts), so I only can see data from Windows and Linux. I would like also to ingest the Palo Alto and Cisco Umbrella data to see it in Elastic SIEM, and also try to detect anomalies and threats in that logs.
Is it possible? What I should I do?
I added the indices into siem:defaultindex:
apm--transaction, auditbeat-, endgame-, filebeat-, packetbeat-, winlogbeat-, umbrella, fortinet*, paloalto*
But still I don´t see data...
To be honest, I don´t know how to do it... I just tryed to filter logs using Logstash and index them into Elasticsearch, but I didn´t expect ECS standard (also don´t know about it).
What I have to do to remap the fields to follow ECS standard? Any tutorial or example? Do i have to do it using Logstash?
@Gmexican14 I´m using Logstash to ingest both logs into Elasticsearch. I´m filtering them using kv/csv filters and then output directly to Elasticsearch.
It gives good information on how you can migrate data over to use ECS thats already been indexed. Logstash is able to rename fields and if you read over the ECS documentation you should be able to determine the naming convention to use.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.