Configure Generic Beat Log Flows into SIEM

The Generic Beat is designed to collect data from log sources supporting similar authentication and pagination styles implemented using other beats, including authentication and authorization mechanisms. There is no JQ pipeline for the Generic Beat.

Identification of the Log Type

Generally, logs are identified using the beat name, but in the case of the Generic Beat, there can be multiple log source types. Because of this, the beat name alone is not sufficient to check for identification.

To overcome this problem, use the device_type field as the log source name value when configuring the Generic Beat.

Identification of Heartbeat Message

When support for a particular log source type is provided via the Generic Beat, then the heartbeat message for that log source will be parsed, and a new log source type will be created for the heartbeat.

To identify the heartbeat message, apply the beatname and device_type check in LSVT that is performed with all log sources.

For example, to configure Proofpoint as a log source in the Generic Beat, apply conditions (beatname=proofpointbeat and device_type=heartbeat) to identify the heartbeat and create a new log source (Syslog - Open Collector - ProofpointBeat Heartbeat).

Log Flow to SIEM

By default, all Generic Beat logs will be parsed under the Syslog - Open Collector log source. Logs with parsing support will be parsed by their respective log sources.

For example, if Proofpoint logs are generated by the Generic Beat and parsing is supported, then all Proofpoint logs in the SIEM will parse via the Syslog - Open Collector - Proofpoint log source, and the heartbeat message will parse via the Syslog - Open Collector - ProofpointBeat Heartbeat log source.