Prelude carriage return with XmlMod
Added by Pierre R over 4 years ago
Hello,
I have installed SIEM Prelude and I’m sending log using [xmlMod] in a prelude-xml.log file. On the other hand, I’m using Filebeat to read logs from this file and send it to an ELK server. The problem is that the logs aren’t sent. It is caused by the fact that Prelude send alert on the same line, but Filebeat wait a carriage return (\n). Is Prelude has an option which enable carriage return when sending logs ?
Thanks for your help !
Regards,
Pierre
Replies (5)
RE: Prelude carriage return with XmlMod - Added by Noé Nguyen over 4 years ago
Hello,
I have the same problem.
Anyone has an idea ?
Best Regards,
Noé
RE: Prelude carriage return with XmlMod - Added by Thomas ANDREJAK over 4 years ago
Hello
You can enable "format" in XMLMode section. I think this will works with what you needs.
Can you explain us more why you want/need to forward IDMEF alerts to ELK ?
Regards
RE: Prelude carriage return with XmlMod - Added by Pierre R over 4 years ago
Hi,
Thanks, it works :wink: ! I though that I have already tried this "format" parameter, but it did not works. Surely I have forgotten to restart "prelude-manager" service.
We use ELK suite in order to visualize alerts on Kibana and we use Filebeat to send logs to Logstash. But Filebeat need a carriage return like "\n" to understand when it needs to read the xml file and send logs.
So, by default Prelude send all logs on the same line without specific carriage return.
We found other solutions to resolve this issue, but they are not easy to setup and it is simpler to use Prelude this way.
Regards,
Pierre
RE: Prelude carriage return with XmlMod - Added by Thomas ANDREJAK over 4 years ago
Hello
Glad to hear you get your way to what you want to do.
You are using kibana because the interface of Prelude is not enough ? can you explain us what is missing in our interfaces ?
Thanks
Regards
RE: Prelude carriage return with XmlMod - Added by Pierre R over 4 years ago
Hello,
Firstly we use Kibana because it's a constraint of our student project. Indeed, our project consist in set up a SOCaaS using Prelude, a sensor (Suricata and/or OSSEC, Snort) and the ELK suite.
Prewikka have many useful features but some feature available on Kibana are not on Prelude OSS. Pro version is certainly more provided.
For example, Kibana is able to make more complex dashboards, parsing multiple type of logs and by default and the interface is user-friendly.
I'm not an expert but it's my feeling on Prewikka. Moreover, ELK suite is free and open source, so ... why don't use it ? ^^
Thanks .
Regards,
Pierre