Hello,
my setup:
in one server i log (with zeek) all data from the office network
on the same server i filebeat this data from the /opt/zeek/spool/logger/*
to an other server with elastic and kibana
i also use the zeek module
Extra info:
When i look in /etc/filebeat/modules.d/zeek.yml file i see that the following logs get parsed:
conn.log , dns.log , http.log , files.lo , ssl.log and notice.log
this means that
capture_loss.log , dce_rpc.log , dhcp.log , dpd.log , known_hosts.log , known_services.log , mysql.log
ntlm.log , ntp.log , radius.log , reporter.log , sip.log , smb_files.log , smbmapping.log , snmp.log , software.log , stats.log , stderr.log , stdout.log , syslog.log , weird.log and x509.log
does get send (i said that all .log files should be send in the filebeat.yml) but does not get parsed
all files are written in JSON
my question:
is what i said above correctly interpeted by me?
and if so how do i get this parsed so that elastic understands this data besides the already parsed data?
thanks