Filebeat supports extensive Suricata EVE log parsing through the "suricata" module. The assumption of the module is that these logs are present in a file on disk. In my case, they arrive via Syslog. Also, that Syslog does not only contain Suricata events, but also other events like firewall logs (in the same Syslog stream). What's the best way to get this working with filebeat?
I know I can override the input settings for the module and use a Syslog input. But there's more to do here: I need to parse out a syslog header before the data is in plain json like the module expects. Also, I only want to forward those syslog messages to the module, that actually are suricata eve logs.
Is there any way to make Filebeat flexible enough to handle this? In Logstash I would simply check if the log was a suricata log, and then forward it to a "suricata" pipeline with pipeline to pipeline communication.