Parsing LEEF data

Elastic Stack Logstash
1

Hello,
How can I parse LEEF data. The format includes | separation in the heard and SPACE separation in Body. Below is a sample event, please advise.

The objective is to parse both the LEEF header (LEEF:1.0|Cyber-Ark|Vault|12.2.0002|361|sev=6 ) and rest of the body

<5>1 2022-09-14T07:56:47Z WIN0981 LEEF:1.0|Cyber-Ark|Vault|12.2.0002|361|sev=6 Action=Keystroke logging EventMessage=Keystroke logging OSUser= usrName=a9010@adest src=13.23.6.4 SourceUser= TargetUser= File=Root\Operating System-_A_UNI_AE_WE-10.1.10.3-ars-root Safe=APP27-LNX Location= Category= RequestId= Reason= ExtraDetails=Command=more recover_database_MADR03_archivelog.log;ConnectionComponentId=PSMP-SSH;DstHost=10.1.10.3;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=b546aade-3402-11ed-9b51-0050569774b7;SrcHost=10.11.5.22;User=ars-root;VIDOffset=29T; GatewayStation= CAPolicy= shost=15.29.3.8 dhost=10.1.10.3 duser=ars-root externalId=b546aade-3402-11ed-9b51-0050569774b7 app=SSH reason=more recover_database

--
Thanks,
Siddarth

2

I would suggest using a mutate filter to change that into valid CEF and then using a TCP output/input pair with a cef codec on the input as shown here.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.