I collected syslogs of security devices (WAF, IPS, IDS (suricata), anti-DDoS) by filebeat, delivered to logstash, and stacked them in elastisearch.
I know that using filebeat, it automatically makes it into ecs format,
All collected indexes were registered in the siem index.
However, equipment other than suricata cannot be identified in the elastic siem.
This is the security equipment log collected using filebeat's cef module, and can be checked in elasticsearch.
The index is also registered so that it can be checked in siem.
However, only the suricata log can be checked in the actual siem.
If you look at the overview of siem, there are only beats in both the host and the network, and even if you add an index, it is not registered
How can I use security device logs in siem?
and i want to remove auditbeat, packetbeat, and cisco, netflow, zeek in filebeat.
so the index was deleted in security, but it was not deleted from the screen.
In the future I will use fluentd instead of filebeat to collect logs, is it impossible to use siem at this time?