topic Is it possible with Splunk Enterprise to input JSON logs into the instance and transform them to CEF format? in Splunk Enterprise

Is it possible with Splunk Enterprise to input JSON logs into the instance and transform them to CEF format?

aneuharth93 — Thu, 23 Feb 2023 17:45:32 GMT

Hello!

Is it possible with Splunk Enterprise to input JSON logs into the instance and transform them to CEF format?

Re: JSON to CEF Format

richgalloway — Mon, 14 Sep 2020 14:43:17 GMT

Please tell us more about what you want to do? What is the use case?

Re: JSON to CEF Format

aneuharth93 — Mon, 14 Sep 2020 14:56:45 GMT

Sure thing!

Currently, I am ingesting logs from Slack which come in JSON format. Our current SIEM solution does not have a good way to parse these. However, we can ingest CEF/syslog formats easily.

So I am looking to ingest Slack logs, transform to a different data format, and forward it to our SIEM.

Please let me know if you need any further information, but that's the gist of it.

Thank you

Re: JSON to CEF Format

allamiro — Wed, 22 Feb 2023 22:14:40 GMT

If you have the ability to output a file in CEF format, you may be able to use Splunk to output the file and then use a parser script to generate the CEF logs that you need. The feasibility of this approach depends on the specific use case and the logs that you are ingesting. This is a solution that I have developed in the past to convert json format for cisco logs to CEF

https://medium.com/@tamirsuliman/convert-elk-json-format-to-cef-format-41730be67f36

Re: JSON to CEF Format

allamiro — Thu, 23 Feb 2023 10:16:34 GMT

it would b easier if you post a sample message of the json logs. you getting from slack