I'm attempting to parse SYSLOG JSON alerts from a Wazuh instance (based on ELK stack). When the logs come into the ERC, there appears to be a syslog header before the start of the JSON. If I paste just the pure JSON and change the Format:JSON, it parses everything automatically, but it appears due to this syslog header, it doesn't know how to parse the entire text and I have to start use regex to pull specific pieces of information. I'd like to let the ASP automatically parse the JSON and then map the fields accordingly, but it seems like I have create an ASP rule for every single event type I care about, which isn't ideal if we can just automatically parse the raw JSON and then map to fields in McAfee ESM, to eliminate having to use regex and create a specific parsing rule for every event type.
Below is how the syslog comes in from the Wazuh host:
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.