Log Forwarding Capabilities

Network devices logs, system logs and Cloud services logs are sent to Elastic for log storage. Logs are processed are stored JSON format.

Does Elastic able to do forwarding of logs simultaneously to a SIEM with its original log format (e.g. CEF/LEEF, linux, windows event) through syslog (514), ?

Welcome to our community! :smiley:

Logstash and Beats can output to different locations, however they do convert the event into json so they will not be in the original log format.

@warkolm Not sure I agree there, Mark.

If someone thinks of logstash+elasticsearch as a monolith then yes, the data will be coming out of elasticsearch as JSON and restoring it to the original format would be an absurd waste of effort.

But if logstash is receiving syslog messages then it can send one copy of the event to elasticsearch and just forward another copy to a syslog server. The same is true of CEF messages, it can create two copies, parse one and forward one.

I'm not quite sure what that means for Windows events, I guess it really depends on what format the SIEM system expects to receive Windows events in. Is there a syslog standard for Windows events? (I have never met one and would not expect one to exist.)

But if the requirement is to forward an event to both elasticsearch and another system formatted in a different way then I think logstash is a good fit.

Can logstash receive events from arbitrary sources and forward them to both elasticsearch and syslog -- definitely.

1 Like

@warkolm @Badger Thank you for the responses.

On the point that it is possible to forward logs to another destination and at the same time sending the transform logs to Elasticsearch for storage.

I came across with this documentation How Logstash Works | Logstash Reference [8.8] | Elastic. Is this the way? Appreciate to point me to the right direction. :slight_smile:

SIEM needed to have the format on how the log source device originally sent it so as their OOTB parser to work.

You would use pipeline-to-pipeline with a forked-path pattern.

The input would send events to two pipelines, one would just send those events to a syslog output, the other would parse them and route them to elasticsearch.

To parse CEF you can use the codec. You cannot use a codec on a pipeline-to-pipeline connection, but there is an example of how to do it using a TCP output/input pair here. Do not try to do it like this.

If you have problems with parsing the syslog timestamp then this might help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.