Sending logs from Logstash to ArcSight via Syslog CEF

Elastic Stack Logstash
1

Hello,

I've configured my Logstash to send event to an ArcSight Connector via the syslog output plugin with cef codec.

The data I receive looks like this:

{"name": SERVER_NAME} LOGSTASH[*]: CEF:0|Elasticsearch|Logstash|1.0|Logstash|Logstash|6|\n

I tried playing with the Logstash configuration but nothing seems to work.

This is my current output configuration:

output {
             syslog {
                           host => "[Arcsight_Connector]"
                           port => 514
                           protocol => "udp"
                           codec => cef {
                                        delimiter => " "
                                         fields => [
                	"dvchost"
                    "duser",
                    "dntdom",
                    "cs5",
                    "cs4",
                    "shost",
                    "cs6",
                    "cs3",
                    "cs1",
                    "src",
                    "duid",
                    "cn1",
                    "fname",
                    "sntdom",
                    "dvchost",
                    "deviceProcessName",
                    "suid",
                    "destinationServiceName",
                    "dpriv",
                    "spt",
                    "susr",
                    "cs2",
                    "dproc"
                ]
   }

}

The fields line is based on a solution given here: https://discuss.elastic.co/t/cef-codec-does-not-resolve-extended-fields/148354/2

However, it doesn't seem to work for me.

My Logstash is version 6.4.2
CEF codec plugin is version 5.0.2
and Syslog output version is 3.0.5

Any suggestion?

Thank you very much!

2

What result do you get and what don't you like about it?

3

I'm sending Sysmon events, I want to get all the fields necessary, but all I seem to get is the source host name. I want to get the process name, event ID, time, username etc.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.