I recently started consuming HashiCorp Vault (secrets manager) audit logs into my cluster via Journalbeat, and while it's great to view the logs in Discover, it would be useful to surface those logs and associated metrics in the SIEM app. Any thoughts on this?
Unfortunately, it is not currently possible to transmit journald events to the SIEM app via Journalbeat. However, the HashiCorp docs, mention their audit logs are generally sent as syslog or JSON to a SIEM. Could you generate some sample events and provide us with the output (sanitised events are fine). Filebeat may be able to ship these events to the SIEM app, depending on the format.