Hello!
Is it possible with Splunk Enterprise to input JSON logs into the instance and transform them to CEF format?
If you have the ability to output a file in CEF format, you may be able to use Splunk to output the file and then use a parser script to generate the CEF logs that you need. The feasibility of this approach depends on the specific use case and the logs that you are ingesting. This is a solution that I have developed in the past to convert json format for cisco logs to CEF
https://medium.com/@tamirsuliman/convert-elk-json-format-to-cef-format-41730be67f36
Sure thing!
Currently, I am ingesting logs from Slack which come in JSON format. Our current SIEM solution does not have a good way to parse these. However, we can ingest CEF/syslog formats easily.
So I am looking to ingest Slack logs, transform to a different data format, and forward it to our SIEM.
Please let me know if you need any further information, but that's the gist of it.
Thank you
it would b easier if you post a sample message of the json logs. you getting from slack
Please tell us more about what you want to do? What is the use case?