The Generic Beat is designed to collect data from log sources supporting similar authentication and pagination styles implemented using other beats, including authentication and authorization mechanisms. There is no JQ pipeline for the Generic Beat.
Identification of the Log Type
Generally, logs are identified using the beat name, but in the case of the Generic Beat, there can be multiple log source types. Because of this, the beat name alone is not sufficient to check for identification.
To overcome this problem, use the device_type field as the log source name value when configuring the Generic Beat.
Identification of Heartbeat Message
To identify the heartbeat message, apply the beatname and device_type check in LSVT that is performed with all log sources.
For example, to configure Proofpoint as a log source in the Generic Beat, apply conditions (beatname=proofpointbeat and device_type=heartbeat) to identify the heartbeat and create a new log source (Syslog - Open Collector - ProofpointBeat Heartbeat).
Log Flow to SIEM
By default, all Generic Beat logs will be parsed under the Syslog - Open Collector log source. Logs with parsing support will be parsed by their respective log sources.
For example, if Proofpoint logs are generated by the Generic Beat and parsing is supported, then all Proofpoint logs in the SIEM will parse via the Syslog - Open Collector - Proofpoint log source, and the heartbeat message will parse via the Syslog - Open Collector - ProofpointBeat Heartbeat log source.