Project

General

Profile

Prelude carriage return with XmlMod

Added by Pierre R almost 4 years ago

Hello,

I have installed SIEM Prelude and I’m sending log using [xmlMod] in a prelude-xml.log file. On the other hand, I’m using Filebeat to read logs from this file and send it to an ELK server. The problem is that the logs aren’t sent. It is caused by the fact that Prelude send alert on the same line, but Filebeat wait a carriage return (\n). Is Prelude has an option which enable carriage return when sending logs ?

Thanks for your help :D !

Regards,

Pierre


Replies (5)

RE: Prelude carriage return with XmlMod - Added by Noé Nguyen almost 4 years ago

Hello,

I have the same problem.

Anyone has an idea ?

Best Regards,

Noé

RE: Prelude carriage return with XmlMod - Added by Thomas ANDREJAK almost 4 years ago

Hello

You can enable "format" in XMLMode section. I think this will works with what you needs.

Can you explain us more why you want/need to forward IDMEF alerts to ELK ?

Regards

RE: Prelude carriage return with XmlMod - Added by Pierre R almost 4 years ago

Hi,

Thanks, it works :wink: ! I though that I have already tried this "format" parameter, but it did not works. Surely I have forgotten to restart "prelude-manager" service.

We use ELK suite in order to visualize alerts on Kibana and we use Filebeat to send logs to Logstash. But Filebeat need a carriage return like "\n" to understand when it needs to read the xml file and send logs.
So, by default Prelude send all logs on the same line without specific carriage return.

We found other solutions to resolve this issue, but they are not easy to setup and it is simpler to use Prelude this way.

Regards,

Pierre

RE: Prelude carriage return with XmlMod - Added by Thomas ANDREJAK almost 4 years ago

Hello

Glad to hear you get your way to what you want to do.

You are using kibana because the interface of Prelude is not enough ? can you explain us what is missing in our interfaces ?

Thanks

Regards

RE: Prelude carriage return with XmlMod - Added by Pierre R almost 4 years ago

Hello,

Firstly we use Kibana because it's a constraint of our student project. Indeed, our project consist in set up a SOCaaS using Prelude, a sensor (Suricata and/or OSSEC, Snort) and the ELK suite.

Prewikka have many useful features but some feature available on Kibana are not on Prelude OSS. Pro version is certainly more provided.
For example, Kibana is able to make more complex dashboards, parsing multiple type of logs and by default and the interface is user-friendly.

I'm not an expert but it's my feeling on Prewikka. Moreover, ELK suite is free and open source, so ... why don't use it ? ^^

Thanks :D .

Regards,

Pierre

    (1-5/5)