Not able to recognize rsyslogs in SIEM

I'm trying to send rsyslogs to SIEM (rsyslog-> filebeat-> logstash-> siem)

filebeat.spool_size: 2048
filebeat.idle_timeout: 5s
  hosts: ['10.x.x.5:6045']
- type: log
   - /var/log/hostname/forwarded-logs.log
    logtype: rsyslog

Is there a file-beat plugin that supports rsyslog-output to SIEM? I didn't find anything?

I have looked at the alternative options to send logs to logstash, logstash to siem


input {
  beats {
    port => 6045

  if [fields][logtype] == "rsyslog" {
       grok {
        match => ["message", "%{GREEDYDATA:message}"]
        add_tag => "rsyslog"

output {
  if "rsyslog" in [tags] {
       syslog {
        appname => "SIEM"
        host => "10.x.x.52"
        port => "514"
        protocol => "tcp"
        codec => line { format => "%{message}" }

I'm not able recognize file-beat installed hostname in SIEM, What were my options in terms of recognizing file-beat installed hostname?

Can you share a sample of the message you are sending, what is the output you are getting and what is the desired output?

I am Not sure if that is supposed to be your entire, filebeat.yml

If it is, you're missing a pretty important line

- type: log

@stephenb I did have that line in my filebeat.yml, can you confirm if we can send rsyslogs to external SIEM.

If yes, what was the plugin?


I am not sure what you are asking, it would help if you could be a little more detailed in your questions.

Are you asking
Can you send logs that are harvested with filebeat and sent through logstash can they be forwarded to a syslog output with logstash?

If that is the question then the answer is yes.

If you are asking
Can logs be harvested somehow and sent to a random external SIEM that has not been identified

I have no clue because there is not enough information.

If your real question is

What were my options in terms of recognizing file-beat installed hostname?

You would need to do some parsing of the logs and set the correct fields.

And if that is the case what @leandrojmp asked is very important you need to show the indata and out data so we could help.

@stephenb @leandrojmp

What I'm trying here send rsyslogs to Security Information and Event Management (McaFee SIEM)

What were my options in terms of recognizing file-beat installed hostname in SIEM?

Here is my input rsyslog forwarded-logs.log:

2022-07-18T14:16:01.363926+00:00 scmgxpbt-wls-1 CROND[27856]: (root) CMD (python < /usr/share/rhn/virtualization/
2022-07-18T14:16:45.663113+00:00 scmgxpbt-wls-1 runuser: pam_unix(runuser:session): session opened for user root by opc(uid=0)

I'm collecting above log through filebeat and sending it to logstash output.
Logstash will send it to SIEM.

Here is my Logstash output,

       "message" => [
        [0] "2022-07-18T14:58:01.495362+00:00 scmgxpbt-wls-1 CROND[25968]: (root) CMD (python < /usr/share/rhn/virtualization/",
        [1] "2022-07-18T14:58:01.495362+00:00 scmgxpbt-wls-1 CROND[25968]: (root) CMD (python < /usr/share/rhn/virtualization/"
          "host" => {
        "name" => "scmgxpbt-wls-1"
    "@timestamp" => 2022-07-18T14:58:01.998Z,
         "agent" => {
            "hostname" => "scmgxpbt-wls-1",
                  "id" => "b92b643f-a1a5-4f44-ab1f-693a53df9ef2",
                "type" => "filebeat",
             "version" => "7.3.1",
        "ephemeral_id" => "20f7a094-15ed-4e97-87bf-402b018db944"
         "input" => {
        "type" => "log"
      "@version" => "1",
        "fields" => {
        "envName" => "gxpbt",
        "logtype" => "rsyslog"
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "rsyslog"
           "log" => {
          "file" => {
            "path" => "/var/log/scmgxpbt-wls-1/forwarded-logs.log"
        "offset" => 2107278

I have added filebeat.conf file and logstash.conf file in my first post.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.