Guides
Start typing to search…

Receving Data

While the configuration section explains how to send data out, this section looks at how do we configure in Fluency SIEM to receive data from Replay.

Just like collecting data from the outside world, the Fluency SIEM has to be configured to get data from Replay.

One quick way is just to go ahead and select an application. To do this, go to the platform section and choose applications. Then choose application templates. At the bottom under system components you should see a Fluency replay HEC application. You merely just have to click and install that pipeline.

if you need to install the pipeline outside of the system, components, this can be done by installing an HEC receiver. Have the HEC receiver send its data to a processor that is a simple pass-through. This is an example of a passthrough pipe that addressed the case that there is metaflow data.

function main(doc) {
    // The body of the original message is held in the event field
    if (doc.obj["@type"] == "metaflow") {
    
       let flow = doc.obj
       let timestamp = doc.obj["@timestamp"]
    
       doc.obj = {
          "@collector": "fluency-server",
          "@eventType": "flow",
          "@event_type": "flow",
          "@parser": "fpl-flow",
          "@parserVersion": "20250402",
          "@sender": "52.4.126.188",
          "@source": "52.4.126.188",
          "@timestamp": flow["timestamp"],
          "@type": "event",
        }
        
        doc.obj["@flow"] = flow
        doc.obj["@timestamp"] = timestamp

        return "pass"
    }
    //doc.obj = doc.obj["event"]
    return "pass"
}

A passthrough that is just doing events can be as simple as this:


function main(doc) {
    doc.obj = doc.obj["event"]
    return "pass"
}

Before testing, ensure that the resources for the data type you are sending are turned on. This will insure both detection rules and reporting. This can be found on SIEM->Resource Sync. Thes behavior ensure detection by event watch.


Finally, send this pipe to the EventWatch service.

To test the service, send data from the replay into the SIEM. You can look at the different pipe queues to see that data is being ingressed. While timeline data is immediate, the summary data is waiting for the window to close or exceed the threshold.

Updated about 16 hours ago