I have some syslogs to parse which are in a very basic comma delimited format. Everything looks and works fine apart from a file path with backslashes.
I've seen several suggestions on the forum around mutate and gsub but I've no idea where to put them!
Below is an example in the elastic Dev Tools section for Security Onion
Sorry for the delay in replying, I've been away for a couple of weeks.
I don't really know the answer to your question, but it might make more sense if I provide some context.
We have logs being shipped from Zscaler ZPA into Security Onion and have the Elastic integration (www-elastic-co/docs/reference/integrations/zscaler_zpa) configured and working. This parses some data such as User Activity (help-zscaler-com/zpa/understanding-user-activity-log-fields) but does not currently support/parse Microsegmention flows which are part of the same log shipping (help-zscaler-com/zpa/understanding-microsegmentation-flow-log-fields).
I know virtually nothing about Elastic/Security Onion as it was set up by a previous employee (lucky me), but I don't think the working logs are using logstash - I may be wrong, this is just based on the fact 'logstash' isn't mentioned in the security onion 'tags' field.
For reference, the 'tags' on a user activity entry which is being parsed are:
Most likely I'll have to wait and hope whoever looks after the integrations adds microsegmentation support, but I thought I'd try and see if it's possible myself.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.