Hello, im trying to use crowdstrike Siem Connector with filebeat.
I've been checking some documentation but can't find a way to solve my problem.
I think is kind of working but the field message looks like a bunch of hex.
My filebeat.yml (or the parts i think actually matter)
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
# filestream is an input for collecting log messages from files.
- type: filestream
# Change to true to enable this input configuration.
enabled: false
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/crowdstrike/falconhoseclient/output
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["xx.xx.xx.xx:xxxx"]
cs.falconhoseclient.cfg
http_proxy =
# Output formats
# Supported formats are
# 1.syslog: will output syslog format with flat key=value pairs uses the mapping configuration below.
; Use syslog format if CEF/LEEF output is required.
# 2.json: will output raw json format received from FalconHose API (default)
output_format = json
and my conf file for filebeat
input {
beats {
host => "0.0.0.0"
port => 9012
type => "beats"
}
}
output {
elasticsearch {
hosts => "xx.xx.xx.xx:9200"
manage_template => false
index => "falcon-crowdstrike-%{+YYYY.MM}"
}
}