[syslog_router] Add syslog router integration #11727
Conversation
- Add initial implementation of the syslog router integration which will identify and route syslog-based events to security integrations.
taylor-swanson added enhancement 
🚀 Benchmarks reportTo see the full report comment with |
| Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices) |
| | ||
| **Before:** | ||
| | ||
| ```yaml |
There was a problem hiding this comment.
As a future improvment idea, the Defend for Containers integration uses UI components (buttons, dropdowns, etc) to create somewhat similar rules, and then generates a yaml file based on the GUI.
It would be easier for users to have something like that here. I didn't work on that part myself, so I'm not too sure how much work it would be to add here, but it's probably worth investigating. I think setting up this yaml could cause difficulties for a lot of users.
There was a problem hiding this comment.
Phase 2 of this project does involve UI work, but I'll take a look at that integration to see if I can apply any of that here.
I agree the yaml is convoluted, but this is how beats is designed. I'm not sure what to do here, though. One of my original approaches to this integration was developing a new processor, which allowed me to have a much "nicer" looking yaml configuration. I abandoned that in favor of the existing conditionals and processors in beats. Unfortunately, you can't do anything special with yaml blocks from the agent configuration in handlebars, so I wasn't able to take a nicer looking yaml from the agent config and produce the correct filebeat config from it.
I'll take a look at the Defend for Containers integration and see what I can use from that.
There was a problem hiding this comment.
Yeah looking at Defend for Containers, that's what we're aiming for in Phase 2.
This was the "nicer" looking yaml config I came up with (one of the reroute definitions). I feel like this would be easier for the UI to work with than the beats config that's currently being used. The beats config would be fairly easy for the UI to emit, but not read back in.
- target: citrix_waf.log patterns: - "CEF:0\\|Citrix\\|NetScaler" processors: - add_fields: target: '' fields: _conf.tz_offset: "UTC" - append: target_field: tags values: - citrix_waf-log 
packages/syslog_router/data_stream/log/_dev/test/pipeline/test-syslog-events.json-expected.json Show resolved Hide resolved
dwhyrock left a comment
dwhyrock left a comment There was a problem hiding this comment.
A couple comments and questions
packages/syslog_router/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
mjwolf left a comment
mjwolf left a comment There was a problem hiding this comment.
I tested this with Arista NG and Check Point logs, and both were routed to the correct datastream.
💚 Build Succeeded
History
|
|
| Package syslog_router - 0.1.0 containing this change is available at https://epr.elastic.co/package/syslog_router/0.1.0/ |
- Add initial implementation of the syslog router integration which will identify and route syslog-based events to security integrations.
- Add initial implementation of the syslog router integration which will identify and route syslog-based events to security integrations.
6 participants
Proposed commit message
Checklist
changelog.ymlfile.[ ] I have verified that any added dashboard complies with Kibana's Dashboard good practicesHow to test this PR locally
Warning
Due to limitations in
elastic-package, automated tests cannot verify routing behavior to data streams external to this package. Verification will have to be performed manually. To verify, follow the instructions in the integration on installing assets for another integration (Cisco ASA, for example), configure the integration, and send a relevant log to the Agent.Related issues