[syslog_router] Add syslog router integration#11727
[syslog_router] Add syslog router integration#11727taylor-swanson merged 9 commits intoelastic:mainfrom taylor-swanson:integ/syslog-router
Conversation
- Add initial implementation of the syslog router integration which will identify and route syslog-based events to security integrations.
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
|
|
||
| **Before:** | ||
|
|
||
| ```yaml |
There was a problem hiding this comment.
As a future improvment idea, the Defend for Containers integration uses UI components (buttons, dropdowns, etc) to create somewhat similar rules, and then generates a yaml file based on the GUI.
It would be easier for users to have something like that here. I didn't work on that part myself, so I'm not too sure how much work it would be to add here, but it's probably worth investigating. I think setting up this yaml could cause difficulties for a lot of users.
There was a problem hiding this comment.
Phase 2 of this project does involve UI work, but I'll take a look at that integration to see if I can apply any of that here.
I agree the yaml is convoluted, but this is how beats is designed. I'm not sure what to do here, though. One of my original approaches to this integration was developing a new processor, which allowed me to have a much "nicer" looking yaml configuration. I abandoned that in favor of the existing conditionals and processors in beats. Unfortunately, you can't do anything special with yaml blocks from the agent configuration in handlebars, so I wasn't able to take a nicer looking yaml from the agent config and produce the correct filebeat config from it.
I'll take a look at the Defend for Containers integration and see what I can use from that.
There was a problem hiding this comment.
Yeah looking at Defend for Containers, that's what we're aiming for in Phase 2.
This was the "nicer" looking yaml config I came up with (one of the reroute definitions). I feel like this would be easier for the UI to work with than the beats config that's currently being used. The beats config would be fairly easy for the UI to emit, but not read back in.
- target: citrix_waf.log
patterns:
- "CEF:0\\|Citrix\\|NetScaler"
processors:
- add_fields:
target: ''
fields:
_conf.tz_offset: "UTC"
- append:
target_field: tags
values:
- citrix_waf-log
packages/syslog_router/data_stream/log/_dev/test/pipeline/test-syslog-events.json-expected.json
Show resolved
Hide resolved
dwhyrock
left a comment
There was a problem hiding this comment.
A couple comments and questions
packages/syslog_router/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
mjwolf
left a comment
There was a problem hiding this comment.
I tested this with Arista NG and Check Point logs, and both were routed to the correct datastream.
💚 Build Succeeded
History
|
|
|
Package syslog_router - 0.1.0 containing this change is available at https://epr.elastic.co/package/syslog_router/0.1.0/ |
- Add initial implementation of the syslog router integration which will identify and route syslog-based events to security integrations.
- Add initial implementation of the syslog router integration which will identify and route syslog-based events to security integrations.
Proposed commit message
Checklist
changelog.ymlfile.[ ] I have verified that any added dashboard complies with Kibana's Dashboard good practicesHow to test this PR locally
Warning
Due to limitations in
elastic-package, automated tests cannot verify routing behavior to data streams external to this package. Verification will have to be performed manually. To verify, follow the instructions in the integration on installing assets for another integration (Cisco ASA, for example), configure the integration, and send a relevant log to the Agent.Related issues