NLS Inputs for Common Event Format (CEF)/Logstash
Posted: Thu Aug 03, 2017 4:09 pm
I got the plugin installed, and am looking into what I need to change to accept CEF messages from a Trend Micro Deep Security agent to be able to accept the logs as they come in. I have some logs incoming via Syslog and they work fine. Some of the services only send messages via CEF (common event format), and I'm not sure what else needs to be done once I installed the codec-cef for logstash.
Looking through the logstash document, examples are like this:
input {
tcp {
codec => cef { delimiter => "\r\n" }
# ...
}
}
I want udp on a certain port:
input {
udp {
codec => cef { delimiter => "\r\n" }
port => <myport#>
}
}
None of this seems to work though. Not seeing the CEF logs come through. Anymore examples of how this should be setup?
Looking through the logstash document, examples are like this:
input {
tcp {
codec => cef { delimiter => "\r\n" }
# ...
}
}
I want udp on a certain port:
input {
udp {
codec => cef { delimiter => "\r\n" }
port => <myport#>
}
}
None of this seems to work though. Not seeing the CEF logs come through. Anymore examples of how this should be setup?