I'm planning to receive SysLog data from various network devices that I'm not able to directly install beats on and trying to figure out the best way to go about it. I know Beats is being leveraged more and see that it supports receiving SysLog data, but haven't found a diagram or explanation of which configuration would be best practice moving forward. FileBeat looks appealing due to the Cisco modules, which some of the network devices are. To break it down to the simplest questions, should the configuration be one of the below or some other model?
- Network Device > LogStash > Elastic
- Network Device > LogStash > FileBeat > Elastic
- Network Device > FileBeat > Elastic
- Network Device > FileBeat > LogStash > Elastic
We want to have the network data arrive in Elastic, of course, but there are some other external uses we're considering as well, such as possibly sending the SysLog data to a separate SIEM solution. I know we could configure LogStash to output to a SIEM but can you output from FileBeat in the same way or would this be a reason to ultimately send to LogStash at some point?
Thank you in advance!