Logstash output as CEF data to other server

Blason · March 29, 2019, 3:22am

Hi there,

I have elastic search stack where logstash is accepting data and ingesting in elastic search now I need to have another output configured and forward the data to a third part collector which is accepting in CEF format.

This is again not ArcSight but a third party SIEM solution. Can someone confirm if this possible?

TIA
Blason R

Badger · March 29, 2019, 12:35pm

You can use a cef codec on an output, so yes, this should be possib.e

Blason · March 29, 2019, 5:39pm

If possible can you give me an example?. Here is mine at this moment and I need to send to third party collector in CEF format

        gelf {
                host => "localhost"
                port => "12201"
                protocol => "UDP"
        }

}
#       elasticsearch {
#               index => "logstash-rpzlog-%{+YYYY.MM.dd}"
#               hosts => ["http://localhost:9200"]
#               }
#       }

Badger · March 29, 2019, 6:08pm

There is an example writing to stdout here.

system · April 26, 2019, 6:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Sending logs from Logstash to ArcSight via Syslog CEF Logstash	3	2526	March 28, 2019
Output CEF Logstash	1	1748	December 25, 2017
Need to config codec-cef as output Logstash	1	869	October 22, 2017
Filter cef Logstash	7	6045	June 14, 2019
ArcSight module CEF input parsing (over TCP) [SOLVED] Logstash	1	534	August 8, 2019

Logstash output as CEF data to other server

Related topics