Network devices logs, system logs and Cloud services logs are sent to Elastic for log storage. Logs are processed are stored JSON format.
Does Elastic able to do forwarding of logs simultaneously to a SIEM with its original log format (e.g. CEF/LEEF, linux, windows event) through syslog (514), ?
If someone thinks of logstash+elasticsearch as a monolith then yes, the data will be coming out of elasticsearch as JSON and restoring it to the original format would be an absurd waste of effort.
But if logstash is receiving syslog messages then it can send one copy of the event to elasticsearch and just forward another copy to a syslog server. The same is true of CEF messages, it can create two copies, parse one and forward one.
I'm not quite sure what that means for Windows events, I guess it really depends on what format the SIEM system expects to receive Windows events in. Is there a syslog standard for Windows events? (I have never met one and would not expect one to exist.)
But if the requirement is to forward an event to both elasticsearch and another system formatted in a different way then I think logstash is a good fit.
Can logstash receive events from arbitrary sources and forward them to both elasticsearch and syslog -- definitely.
The input would send events to two pipelines, one would just send those events to a syslog output, the other would parse them and route them to elasticsearch.
To parse CEF you can use the codec. You cannot use a codec on a pipeline-to-pipeline connection, but there is an example of how to do it using a TCP output/input pair here. Do not try to do it like this.
If you have problems with parsing the syslog timestamp then this might help.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.