I would like to know if anybody has used ELK to centralise device logs (Windows, Linux, firewall, etc), before forwarding them on to a SIEM? I have a requirement to have a central log storage at each of my geographical locations - ELK seems perfect for this. However, I then need to have the same log data forwarded to my SIEM for correlation, alerting, etc.
I would be interested to hear if this can be done natively with the elastic stack. Thanks in advance.
I’m trying to do the same and my first doubt is how manage the different log sources in my SIEM because they have obviously the same header generate from logstash and the SIEM use log source io address to discover log source. In this way if I send 4 different syslog firewall sources to logstash and after logstash forward to the SIEM I can’t differentiate log sources. Have you tested any config for this?
Thanks for the reply! I have not conducted any testing yet, as I am only in the design stage. I'm looking at ways to centralise logs and have them forwarded to a SIEM, with minimal architecture/complexity. I take it from your reply that you are unable to get this working?
I'm thinking that perhaps the only option is to have 2 agents on the log source, i.e. one for logstash (beats) and one for the SIEM (e.g. an alienvault agent). Syslog is less of a problem as it can be forwarded to multiple destinations...
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.