This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

collecting select logs from downstream Elasticsearch

I manage an environment with a bunch of clusters, each running their own log collection server that uses the ELK stack. 

Our security team would like me to start sending authentication/audit events to their SIEM which is running Sentinel.

Is it possible for our local logging Elasticsearch  to send  to Sentinel (or its Elasticsearch) rather than configuring agents on every instance of my clusters?

If so, I'd appreciate any references to docs or examples.  I'm working my way through the configuration guide now.

I have limited experience with the ELK stack and none with Sentinel. 

Thanks!

Edit: It looks like Logstash is the point in the stack to send to SIEM.

  • 0  

    We have a selection of collectors that parse different device types and each collector comes with guides to configure both the device and Sentinel.  You can start by checking here.  https://www.microfocus.com/marketplace/cyberres/category/sentinel   If we don't have a collector specifiically built for ELK than you could try using our CEF collector.  The CEF collector would require that the events sent to Sentinel were in CEF format.  There might be an option in the ELK side to configure CEF syslog to send to a particular SIEM IP and port.  For that configuration you would need to do some research on your side.