We have many applications where we would like to ingest their log data into Elastic Stack; however, the log shipping mechanism is syslog (BSD, CEF, or RFC 5424). Our use case is SIEM & threat hunting.
Here are options I can think of:
Are there other options? Of these options, which is the most recommended?
Hey,
just FYI, filebeat has a syslog input as well, so no need for a rsyslog/syslog-ng server. See https://www.elastic.co/guide/en/beats/filebeat/7.6/filebeat-input-syslog.html
If you would like to start simple with as few components as possible, that might be the way to go.
--Alex
My understanding is that filebeat only supports syslog RFC 3164 and not RFC 5424.
Sorry, I misread. You are right, you may want to ask the developers on that issue here https://github.com/elastic/beats/issues/6872
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.