Output Using CEF codec and to Kafka Server

Wilks · June 28, 2021, 2:36pm

Hi,
Is there a way to nest the Output statement so that I can first output using the CEF codec and then Output to a Kafka topic. The requirement is that I have to covert the data to CEF and then send to a Kafka topic. I feel like I can just use the server and port of the Kafka server but I am not sure how to send it to a specific topic on that server. Will just adding "topic_id" work? or does it have to be nested differently?

output {
  tcp {
    port     => "KAFKA SERVER PORT"
    host     => "192,168.1.1,192.168.1.2"
    **topic_id => "mytopic"** 
    codec    =>  cef {
      delimiter  => "\r\n"
            fields     => [ "cs1", "cs2", "cs3"]
      version    => "1"
      severity   => "7"
    }
	}
}

Badger · June 28, 2021, 4:18pm

Why are you not using a kafka output?

Wilks · June 28, 2021, 4:23pm

Because I need the output to be in CEF format and I thought in order to output in CEF format I had to use the CEF codec. If I output just using

output {
      kafka {
        codec => json
        topic_id => "mytopic"
      }
    }

Will it display in CEF? or just text based? Basically want to send CEF formated data to a Kafka topic

Badger · June 28, 2021, 4:29pm

Have you tried using a cef codec for the kafka output?

Wilks · June 28, 2021, 6:34pm

Ah I see what you mean.
Thanks

system · July 26, 2021, 6:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.