Hello everyone!
I’m quite new to Cribl, but I’ve spent about 10-20 hours so far reading the documentation. I’d like to send Windows event logs from on-prem servers and workstations to Azure Storage with the sort of parsing/normalisation that you’d have from Azure Monitor Agent (such as the SecurityEvent and WindowsEvent structures). This isn’t directly possible with Azure Monitor Agent and the AgentDirectToStore kind in Data Collection Rules (only Azure VMs are supported). I’m hoping that one of the Cribl products can help me with this. I looked at the Sentinel pack, and it appears to only support forwarding data to Sentinel. Is there an existing solution for mapping/normalisation/transformation (I’m not sure which term(s) are appropriate here: pipelines are so complicated!)? My environment has a lot of events across many log providers, and I’m also not sure what kind of magic that Azure Monitor Agent does to events (ie, is it just changing field names? Does it enrich the data, and if so, how?), so I don’t know whether updating field names is sufficient. Anything you can tell me will be helpful.
Thanks so much,
smash