So, the filtering issue has been solved like this
if [winlog][channel] == "Security" or [service][type] == "auditd" {
syslog {
appname => "security"
host => "172.16.60.12"
port => "514"
protocol => "udp"
#rfc => "rfc5424"
codec => line { format => "%{message}" }
#codec => line
sourcehost => "%{host}"
}}
So my SIEM receives the messages should be there and Elastic everything.
However I still have two basic issues to solve
SIEM (Qradar) recognizes the linux audit messages and parses correctly from the following forwarder input (from Logstash)
<13>Jun 24 15:14:59 {"name":"CentOS7Vlad","hostname":"vladcentos7.intra","id":"05976e934c954085a28184accf4245f1","os":{"name":"CentOS Linux","family":"redhat","version":"7 (Core)","kernel":"3.10.0-957.21.2.el7.x86_64","platform":"centos","codename":"Core"},"architecture":"x86_64","containerized":false} security[*]: type=CRYPTO_KEY_USER msg=audit(1561389292.770:839): pid=19824 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:f3:7b:d7:68:b3:e4:31:f9:e6:b5:35:18:27:aa:a5:0b:61:b4:e4:9d:bc:9b:ef:c5:7e:95:2e:1d:1f:fd:e3:1a direction=? spid=98029 suid=1000 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
However, as you can see this syslog message does not comply with the standards, so Qradar cannot parse certain values (most important is the source host, so it will not rely on IP header)
Anyone here has already som trick for this? I suppose a properly created format for the line codec would be sufficient or maybe some filter
I have something like this in my mind
codec => line { format => "%{original_timestamp} %{original_host} %{message}" }
Thank you
`