NLS Inputs for Common Event Format (CEF)/Logstash

[egasway]

Moderator Edit: This thread has been split from another - https://support.nagios.com/forum/viewto ... 37&t=45000
In the future, please create a new thread and link to the old one instead of adding on.

We also have a source producing logs in CEF format which we would like to ingest into Nagios. We've installed the CEF codec, but am I understanding correctly from the comments above that Nagios can't process CEF input? Thanks!

[kyang]

Yes, as mentioned by @scottwilkerson

The cef codec wasn't available until Logstash 2.4 which we have not included in Nagios Log Server yet.

It is slated for the next release, which should be released in the not to distant future

Here's our roadmap so you can see what's in the next release of Nagios Log Server.
https://www.nagios.com/roadmaps/

[tacolover101]

i'm not familiar with CEF (or how it works at a transport layer), but this does have me thinking.

it looks like CEF should send messages in a format similar to:

Code: Select all

Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232 

if you attempt to send it to a raw UDP/TCP input on the NLS side, are you able to see a similar message?

if so, i imagine you can create a GROK pattern for this and on you go. no need for the codec.

of course, all of this is hypothetical assuming there isn't more work needed at the transport layer. should that be the case, you could use a load balancer or reverse proxy to absorb the logs, and then ship over TCP to Nagios.

[dwhitfield]

@egasway, did have any other questions or was @kyang's response adequate until the actual release?