We have updated our Terms of Service, Code of Conduct, and Addendum.

New User: Beats output question

salyerma@ctbi.com
salyerma@ctbi.com Posts: 3
in Stream

I have a need to send json formatted data to a beats (lumberjack) input. I am new to cribl and wondered if there was a pre-configured output that could be used to send lumberjack protocol based json to a receiver?

My current SIEM solution has a json parser, but is using a Beats receiver as the only way to receive it.

Thanks,

Answers

  • Tony Reinke
    Tony Reinke Posts: 10

    Maybe look at the TCP JSON destination?
    https://docs.cribl.io/stream/destinations-tcp-json/

    Which SIEM solution are you connecting to Cribl?

  • salyerma@ctbi.com
    salyerma@ctbi.com Posts: 3

    Tried that, but the TCP JSON destination does not speak in the Lumberjack protocol. It has to be a Logstash destination.

    LogRhythm is the SIEM. There is no destination supplied for LogRhythm so I am trying to get their new JSON parser to work.

    Right now we are experimenting with the File destination and using elastic beats to forward using Lumberjack. Trying to work through the issues. A Logstash/Lumberjack destination would be the berries.

  • Tony Reinke
    Tony Reinke Posts: 10

    LogRhythm Document:
    https://gallery.logrhythm.com/joint-solution-briefs/logrhythm-na-cribl-joint-solution-brief.pdf

    "Cribl Stream observability pipeline acquires machine datafrom desired sources and LogRhythm ingests it in syslog format."

    "Criblalso supports destination output to Webhook, AmazonS3 Bucket, and SNMP Trap, among others, which are also compatible for integration with LogRhythm."

    I would start with trying to send Cribl data via the syslog destination to LogRhythm.

  • salyerma@ctbi.com
    salyerma@ctbi.com Posts: 3

    Logrhythm is a funny beast. It will only accept log sources in the manner that it expects to see log sources. Meaning, the parser for this data is written for syslog CEF. But I am getting them in json format. I can easily have Cribl send it to Logrhythm on the syslog port, but then the parser (regex) wont work because all the fields are out of order.

    This is really a problem with Logrhythm. They have started adding a future JSON parser, but currently it only accepts json through beats (lumberjack). This data source (EDR data) would be a nightmare to write parsers for. Right now, we are dumping out json files to an NFS share, then using FILEBEAT to send to Logrhythm. Works somewhat, but has issues.

    Again, not a Cribl problem per say, just that LogRhythm is a pain when it comes to ingestion. A Cribl output to beats (lumberjack) would be the berries.

Categories