Page 1 of 1
NLS Inputs for Common Event Format (CEF)/Logstash
Posted: Wed Oct 11, 2017 7:28 am
by egasway
Moderator Edit: This thread has been split from another - https://support.nagios.com/forum/viewto ... 37&t=45000
In the future, please create a new thread and link to the old one instead of adding on.
We also have a source producing logs in CEF format which we would like to ingest into Nagios. We've installed the CEF codec, but am I understanding correctly from the comments above that Nagios can't process CEF input? Thanks!
Re: NLS Inputs for Common Event Format (CEF)/Logstash
Posted: Wed Oct 11, 2017 3:03 pm
by kyang
Yes, as mentioned by
@scottwilkerson
The cef codec wasn't available until Logstash 2.4 which we have not included in Nagios Log Server yet.
It is slated for the next release, which should be released in the not to distant future
Here's our roadmap so you can see what's in the next release of Nagios Log Server.
https://www.nagios.com/roadmaps/
Re: NLS Inputs for Common Event Format (CEF)/Logstash
Posted: Thu Nov 02, 2017 8:19 pm
by tacolover101
i'm not familiar with CEF (or how it works at a transport layer), but this does have me thinking.
it looks like CEF should send messages in a format similar to:
Code: Select all
Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2 spt=1232
if you attempt to send it to a raw UDP/TCP input on the NLS side, are you able to see a similar message?
if so, i imagine you can create a GROK pattern for this and on you go. no need for the codec.
of course, all of this is hypothetical assuming there isn't more work needed at the transport layer. should that be the case, you could use a load balancer or reverse proxy to absorb the logs, and then ship over TCP to Nagios.
Re: NLS Inputs for Common Event Format (CEF)/Logstash
Posted: Fri Nov 03, 2017 2:52 pm
by dwhitfield
@egasway, did have any other questions or was
@kyang's response adequate until the actual release?