I'm using the SIEM in order to see and monitor netflow and beats data.
But now I want to add every syslog messages from Linux, Windows and Network Devices (Cisco and much more). All these logs will be sent to an independent index, and I want to add it to the SIEM default indices in order to let the SIEM search for data there.
Is it possible to receive syslog data from different platforms so SIEM can loook for events on them?
Is it better to use filebeat with syslog module or logstash with syslog input to reach my objectve? Please send me a howto URL if you can.
Is it better to use filebeat with syslog module or logstash with syslog input to reach my objectve?
It's better to use the Beats described above (as opposed to just using Logstash). The data collected by Beats will automatically be available in the SIEM app.
One of the many reasons using Beats is a better option is that its modules will ensure the logs are parsed semantically, to extract meaningful data from the raw logs. For example, Beats will extract the process ID from raw logs representing process creation events, and map the process ID to the process.pid field in the Elastic Common Schema (ECS).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.