Hey, I found the guidelines for Splunk and Apache logs to be sent to ECS format. I am new to the Cribl tool. But wanted to ask about how I would convert data from several sources being received over the Syslog port. If I were receiving Palo Alto and Azure data over the same Syslog port to Cribl and wanted them to get converted to ECS format before sending the data to Elasticsearch, would I need to build out several pipelines for each type of Azure Log and each type of Palo Alto log? Or is there an easier way to do this? Please correct me where necessary
I would establish routes, 1 for each type of data. Most likely the routes would be based on matching strings in the _raw field: _raw.includes() and _raw.startsWith(), and maybe /regex/.test(_raw). The sending IP might also be a qualifier unless a load balancer is in the way. Then have different pipelines for each that are specific to their content.
If there are common functions needed to prep the data, you could create a pipeline for them and either use the Chain function to call it from within the other pipelines, or you could attach it to the destination (aka, post-processing pipeline). You can see a sample of this sort of use case in the Cisco ASA and Cisco FTD packs.