Sending selective APM log fields to SIEM

davidfisher · ‎07-Jun-2020

HI

The siem wants apm logs in a single line with few fields.

I used the custom logging agent to log these session variables as of now, is there any better way to do this and also can using the custom logging agent cause huge cpu or resource spikes on the device?

USER %{session.logon.last.username} USER-AGENT: %{session.user.agent} CLIENT-IP: %{session.user.clientip} login-result: %{session.logon.last.result} URI-ACCESS: %{session.policy.result.start_uri} LOGGED_IN_TO_OWA

OUTPUT:

Logging Agent: USER bob USER-AGENT: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 CLIENT-IP: 172.22.70.81 LOGGED_IN_TO_OWA

DevCentral

Sending selective APM log fields to SIEM