I'm having some issues with normalizing my CEF logs coming over Elastic Agent's CEF integration.
To be precise, they're logs from Silverfort, and there's no way to configure detailed logging options on it to remove the double quotation marks. Here is a part of the raw message:
<134>Nov 25 09:56:59 host CEF:0|Silverfort|Admin Console|1.2.3.4-RC|Authentication|Authentication request|2|rt="1732528619954" suser="user@example.com" sntdom="example.com" shost="host01" src="10.0.0.0" destinationServiceName="dest@example.com" dhost="host02" ...
After being indexed, the fields have quotation marks in the values:
"user": {
"name": "\"user@example.com\""
}
Any help is appreciated. I tried playing around with painless scripts on the CEF integration under Processors, and with a Logstash ruby filter.
So far, no luck.
The key is to do the processing before it hits the Elasticsearch CEF ingest pipeline as the pipeline does not know how to handle it, and I would like to avoid modifying it since it will be overwritten on updates.
[error in field 'rt': value is not a valid timestamp, error in field 'src': value is not a valid IP address]
Does anyone have a quick and dirty loop through all and remove specific character script?
Cheers,
Luka