and i want to remove auditbeat, packetbeat, and cisco, netflow, zeek in filebeat.
so the index was deleted in security, but it was not deleted from the screen.
In the future I will use fluentd instead of filebeat to collect logs, is it impossible to use siem at this time?
If use filebeat, isn't it automatically creating a log in ecs format?
Currently I am receiving and processing syslog using filebeat, but elastic siem can't discover logs. So, do I have to create a custom module to fill in the fields of the link?
And how do I edit the items in the overview?
I don't want to make a beat-by-beat item, but rather modify it to my liking.
If you're using filebeat modules then yes. But It doesn't mean it'll create all of the necessary fields.
for example, if you want to add your device to HOSTS page in SIEM, you'll need two ecs field * @timestamp and * host.name.
Could you send a sample log so we can figure out which fields are missing and which fields needs to be changed.
You were right.
As a result of checking,
syslogs of other devices are also received by filebeat from the host where suricata is installed, so all of them are checked like suricata logs.
Thank you.
If the host information is modified, it is determined that the event can be checked in siem.
And is there a way to modify the name of other equipment such as suricata, my WAF, IPS instead of Network in overview and OOOBeat of Host?
Does this part refer to agent.type and event.module?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.