Recommendations for syslog ingestion?

We have many applications where we would like to ingest their log data into Elastic Stack; however, the log shipping mechanism is syslog (BSD, CEF, or RFC 5424). Our use case is SIEM & threat hunting.

Here are options I can think of:

  • Send the logs to a server running rsyslog or syslog-ng, then consume this data with Filebeat.
  • Send the logs to a Logstash server.

Are there other options? Of these options, which is the most recommended?

1 Like

Hey,

just FYI, filebeat has a syslog input as well, so no need for a rsyslog/syslog-ng server. See https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-input-syslog.html

If you would like to start simple with as few components as possible, that might be the way to go.

--Alex

My understanding is that filebeat only supports syslog RFC 3164 and not RFC 5424.