I'm trying to send rsyslogs to SIEM (rsyslog-> filebeat-> logstash-> siem)
filebeat.spool_size: 2048
filebeat.idle_timeout: 5s
output.logstash:
hosts: ['10.x.x.5:6045']
- type: log
paths:
- /var/log/hostname/forwarded-logs.log
fields:
logtype: rsyslog
Is there a file-beat plugin that supports rsyslog-output to SIEM? I didn't find anything?
I have looked at the alternative options to send logs to logstash, logstash to siem
logstash.conf:
input {
beats {
port => 6045
}
}
filter{
if [fields][logtype] == "rsyslog" {
grok {
match => ["message", "%{GREEDYDATA:message}"]
add_tag => "rsyslog"
}
}
}
output {
if "rsyslog" in [tags] {
syslog {
appname => "SIEM"
host => "10.x.x.52"
port => "514"
protocol => "tcp"
codec => line { format => "%{message}" }
}
}
stdout{}
}
I'm not able recognize file-beat installed hostname in SIEM, What were my options in terms of recognizing file-beat installed hostname?
leandrojmp
July 15, 2022, 3:55pm
2
Can you share a sample of the message you are sending, what is the output you are getting and what is the desired output?
stephenb
July 16, 2022, 6:50am
3
Rao_Nelakurti:
- type: log
I am Not sure if that is supposed to be your entire, filebeat.yml
If it is, you're missing a pretty important line
filebeat.inputs
- type: log
@stephenb I did have that line in my filebeat.yml, can you confirm if we can send rsyslogs to external SIEM.
If yes, what was the plugin?
stephenb
July 18, 2022, 2:33pm
5
@Rao_Nelakurti
I am not sure what you are asking, it would help if you could be a little more detailed in your questions.
Are you askingCan you send logs that are harvested with filebeat and sent through logstash can they be forwarded to a syslog output with logstash?
If that is the question then the answer is yes.
If you are askingCan logs be harvested somehow and sent to a random external SIEM that has not been identified
I have no clue because there is not enough information.
If your real question is
What were my options in terms of recognizing file-beat installed hostname?
You would need to do some parsing of the logs and set the correct fields.
And if that is the case what @leandrojmp asked is very important you need to show the indata and out data so we could help.
@stephenb @leandrojmp
What I'm trying here send rsyslogs to Security Information and Event Management (McaFee SIEM)
What were my options in terms of recognizing file-beat installed hostname in SIEM?
Here is my input rsyslog forwarded-logs.log:
2022-07-18T14:16:01.363926+00:00 scmgxpbt-wls-1 CROND[27856]: (root) CMD (python < /usr/share/rhn/virtualization/poller.py)
2022-07-18T14:16:45.663113+00:00 scmgxpbt-wls-1 runuser: pam_unix(runuser:session): session opened for user root by opc(uid=0)
I'm collecting above log through filebeat and sending it to logstash output.
Here is my Logstash output,
"message" => [
[0] "2022-07-18T14:58:01.495362+00:00 scmgxpbt-wls-1 CROND[25968]: (root) CMD (python < /usr/share/rhn/virtualization/poller.py)",
[1] "2022-07-18T14:58:01.495362+00:00 scmgxpbt-wls-1 CROND[25968]: (root) CMD (python < /usr/share/rhn/virtualization/poller.py)"
],
"host" => {
"name" => "scmgxpbt-wls-1"
},
"@timestamp" => 2022-07-18T14:58:01.998Z,
"agent" => {
"hostname" => "scmgxpbt-wls-1",
"id" => "b92b643f-a1a5-4f44-ab1f-693a53df9ef2",
"type" => "filebeat",
"version" => "7.3.1",
"ephemeral_id" => "20f7a094-15ed-4e97-87bf-402b018db944"
},
"input" => {
"type" => "log"
},
"@version" => "1",
"fields" => {
"envName" => "gxpbt",
"logtype" => "rsyslog"
},
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "rsyslog"
],
"log" => {
"file" => {
"path" => "/var/log/scmgxpbt-wls-1/forwarded-logs.log"
},
"offset" => 2107278
}
I have added filebeat.conf file and logstash.conf file in my first post.
system
August 15, 2022, 2:59pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.