Send Linux/Windows/NetworkDevices logs to Elastic SIEM

Elastic Security SIEM
1

Dear people, I have an ELK server 7.8.0.

I'm using the SIEM in order to see and monitor netflow and beats data.

But now I want to add every syslog messages from Linux, Windows and Network Devices (Cisco and much more). All these logs will be sent to an independent index, and I want to add it to the SIEM default indices in order to let the SIEM search for data there.

Is it possible to receive syslog data from different platforms so SIEM can loook for events on them?

Is it better to use filebeat with syslog module or logstash with syslog input to reach my objectve? Please send me a howto URL if you can.

Thanking in advance !!!

2

Hi @jelocabral!

Is it possible to receive syslog data from different platforms so SIEM can loook for events on them?

Yes, it's possible to configure Filebeat as a Syslog receiver, as documented here: Syslog input | Filebeat Reference [8.11] | Elastic

That said, given your statement:

I want to add every syslog messages from Linux, Windows and Network Devices (Cisco and much more)

You will have a better experience if you ingest the data from the hosts themselves:

Is it better to use filebeat with syslog module or logstash with syslog input to reach my objectve?

It's better to use the Beats described above (as opposed to just using Logstash). The data collected by Beats will automatically be available in the SIEM app.

One of the many reasons using Beats is a better option is that its modules will ensure the logs are parsed semantically, to extract meaningful data from the raw logs. For example, Beats will extract the process ID from raw logs representing process creation events, and map the process ID to the process.pid field in the Elastic Common Schema (ECS).

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.