I’d like to ship specific event logs from my Siem to ElasticSearch for further processing. However the output from the Siem is in the leef format and can not be changed.
Has anyone on the lists done this? If you have how did you setup logstash and the grok filter?
I have no experience with leef, however I have captured propieretary formats before using the udp or tcp input plugin and just look at how the message field looks like, then go from there to add a grok filter.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.