Dear all,
I have troubles to feed our DHCP logs into Cortex XDR.
I watched this Video:
https://www.youtube.com/watch?v=rxmn1sYzIlY
and for the installation I used this manual:
* here are the profile settings:
# ============================== Filebeat inputs ===============================
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- c:\Windows\System32\dhcp\DhcpSrvLog*.log
# ============================== Elasticsearch Output ===============================
output.elasticsearch:
enabled: true
# Array of hosts to connect to.
hosts: ["https://xxxxx.xdr.eu.paloaltonetworks.com:443/logs/v1/filebeat"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
compression_level: 5
# Authentication credentials - either API key or username/password.
api_key: "xxxxx"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_fields:
fields:
vendor: "microsoft"
product: "dhcp"
- drop_event.when.not.regexp.message: "^[0-9]+,.*"
- dissect:
tokenizer: "%{id},%{date},%{time},%{description},%{ipAddress},%{hostName},%{macAddress},%{userName},%{transactionID},%{qResult},%{probationTime},%{correlationID},%{dhcid},%{vendorClassHex},%{vendorClassASCII},%{userClassHex},%{userClassASCII},%{relayAgentInformation},%{dnsRegError}"
- drop_fields:
fields: ["message"]
- add_locale: ~
- rename:
fields:
- from: "event.timezone"
to: "dissect.timezone"
ignore_missing: true
fail_on_error: false
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~Do I miss anything or did a mistake?
Do you have some ideas what I can check next?
Thanks,
Peter
