Sending logs from Logstash to ArcSight via Syslog CEF

Hello,

I've configured my Logstash to send event to an ArcSight Connector via the syslog output plugin with cef codec.

The data I receive looks like this:

{"name": SERVER_NAME} LOGSTASH: CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|\n

I tried playing with the Logstash configuration but nothing seems to work.

This is my current output configuration:

output {
             syslog {
                           host => "[Arcsight_Connector]"
                           port => 514
                           protocol => "udp"
                           codec => cef {
                                        delimiter => " "
                                         fields => [
                	"dvchost"
                    "duser",
                    "dntdom",
                    "cs5",
                    "cs4",
                    "shost",
                    "cs6",
                    "cs3",
                    "cs1",
                    "src",
                    "duid",
                    "cn1",
                    "fname",
                    "sntdom",
                    "dvchost",
                    "deviceProcessName",
                    "suid",
                    "destinationServiceName",
                    "dpriv",
                    "spt",
                    "susr",
                    "cs2",
                    "dproc"
                ]
   }

}

The fields line is based on a solution given here: https://discuss.elastic.co/t/cef-codec-does-not-resolve-extended-fields/148354/2

However, it doesn't seem to work for me.

My Logstash is version 6.4.2
CEF codec plugin is version 5.0.2
and Syslog output version is 3.0.5

Any suggestion?

Thank you very much!

What result do you get and what don't you like about it?

I'm sending Sysmon events, I want to get all the fields necessary, but all I seem to get is the source host name. I want to get the process name, event ID, time, username etc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.