Parser for LDAP logs - ECS format

Hi there !

I'm currently collecting LDAP logs (RHDS) with filebeat.
As you know, there isn't any module for these type of logs. However, I would like to be able to create alert on Elastic security based on these logs.
This mean I need to parse this logs with ECS format.

What is the best way to do it ? Directly in Filebeat or through Elastic or Logstash ?
What the configuration should look like ?

Any idea would be welcome.
Cheers

Hi all,

Any help would be appreciated :slight_smile:

I don't know where to start and how to do it. I found some info there : GitHub - ltb-project/openldap-elk: ELK configuration to parse OpenLDAP logs
I tried it but it's not working. Moreover this is not parsed to the ECS format.

I send my logs directly to Elasticsearch, so I imagine that I need to write a grok function in an ingest node pipeline. Correct me if I'm wrong.

Cheers