Sending one log file as a single event using Logstash to sentinel

FahadAhmed · ‎Apr 12 2022

Hi,

I have multiple randomly generated .xml files that need to be sent to Azure Sentinel as a single event/log.

Currently I am able to send the files but they are separated as multiple log events. I need contents of one file to be treated as a single event.

How is it possible using logstash or even file beats or any other solution?

Appreciate any help.

Thanks

Fahad.

FahadAhmed · ‎Apr 14 2022

Any thoughts on getting this done?? I have explored multiple options.

option1: using MMA agent, the issue with MMA agent is that it will only send logs when the timestamp is changed and in our case the logs are not getting updated rather logs are stored in multiple files that are copied through a cron job to the log forwarder so MMA agent approach will not work (as far as i can see, how sure if there are workarounds)

option2: using logstash, I am able to get all the logs from the files however they are split in multiple strings/logs which the XML parser function is not able to parse so logstash option is not feasible either.

option3: filebeats, i see it has the option in documentation to split logs into multiple lines, however have to create regex n test it and not sure if this will even work so exploring any ideas in parallel.

any pointers will be appreciated.

Thanks
Fahad.

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Sending one log file as a single event using Logstash to sentinel

Sending one log file as a single event using Logstash to sentinel

Re: Sending one log file as a single event using Logstash to sentinel