Logstash metadata breaks SIEM ingestion [SOLVED]

This is a LogRhythm problem, not a Logstash one. This is the behaviour in LogRhythm when its syslog relay regexes on the data collector do not match the records you're sending in. So it doesn't correctly identify the log level, host and timestamp. Either adjust the format in Logstash or make your regexes match the incoming logs.
I'm using the tcp output in Logstash and it's working perfectly after fixing the regexes in LogRhythm.


I'm trying to use Logstash as relay between Kafka and our SIEM (LogRhythm). The kafka input, filtering and tcp output all work, but LogRhythm makes some assumptions about the extra meta data prepended by Logstash. So the prepended timestamp is assumed to be the timestamp of the arriving record rather than the timestamp I've included in the input.

The format that arrives is something like this:
timestamp logstash_server_ip <USER.NOTE> configured_logstash_output

Is there any way to remove or otherwise manipulate the fields added before the <USER.NOTE> section?

Does the syslog output also prepend metadata in the same way?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.