Logstash output as CEF data to other server

Blason · March 29, 2019, 3:22am

Hi there,

I have elastic search stack where logstash is accepting data and ingesting in elastic search now I need to have another output configured and forward the data to a third part collector which is accepting in CEF format.

This is again not ArcSight but a third party SIEM solution. Can someone confirm if this possible?

TIA
Blason R

Badger · March 29, 2019, 12:35pm

You can use a cef codec on an output, so yes, this should be possib.e

Blason · March 29, 2019, 5:39pm

If possible can you give me an example?. Here is mine at this moment and I need to send to third party collector in CEF format

        gelf {
                host => "localhost"
                port => "12201"
                protocol => "UDP"
        }

}
#       elasticsearch {
#               index => "logstash-rpzlog-%{+YYYY.MM.dd}"
#               hosts => ["http://localhost:9200"]
#               }
#       }

Badger · March 29, 2019, 6:08pm

There is an example writing to stdout here.

system · April 26, 2019, 6:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.