Syslog Ingestion?

[sherman82828]

I need to ingest data from devices that can only send logs via syslog. Can I send them directly to the LME server (and if so, how, because I can't find a way to do it--syslog isn't mentioned in the documentation for a logging product a single time) or do I need to send them to a Windows Server and use like Log Event Forwarder or something like I can do with Splunk?

[aarz-snl]

Focus on agent installation. Agents collect syslog logs and send to LME

https://github.com/cisagov/LME/tree/main/docs/markdown/agents

You need an elastic and/or wazuh agent for linux installed on your endpoint.

[sherman82828]

Ok so if I have the Elastic agent installed on a Windows Server device and a switch sends a syslog message to that Windows Server the Elastic agent it will automatically receive and then forward that syslog data to LME? I'm trying to get syslog from events from devices that do not support the installation of agents (switches, APs, vCenter, etc).

[aarz-snl]

Ah yes. Fair point.

Can you explain where exactly when you say it forwards the message to your windows server -- where does it go? Is there a logfile?

[aarz-snl]

Essentially you have to POINT the agent to this information somewhere. If its not Forwarded Events and its somewhere else? You will have to know where that it is. You may be able to use a custom config with elastic / wazuh to monitor that file and send the data to elasticsearch. But the default configuration will not pick that up automatically -- no. We will have to configure it somewhere.

This is a integration you can use for generic log files: https://www.elastic.co/guide/en/integrations/current/log.html

[aarz-snl]

Another question would be -- I assume this device has some type of syslog that can forward events ? Since its forwarding to the windows machine? What is it using to this ? Rsyslog or something like that? You MAY be able to configure it to send directly to elasticsearch -- I'm just not certain of your exact configuration

[sherman82828]

All I have are a bunch of switches and APs. Right now they send their logs directly to our Splunk server using their syslog settings on the switch/AP configuration and Splunk just ingests them just like it receives Windows Logs from the Splunk Universal Log Forwarder so there is a single logging system that receives Windows and switch/AP logs. I'd like to update those switches and APs to just send the logs to the LME server but cannot figure out how to get Elastic/LME to ingest them. This seems like a common use case (or at least a useful setup for LME if it could get syslog data in some easy way in a future version).

It sounds like currently the way to go is to set up a syslog server on one of our Windows/Linux servers that has the Elastic agent, set the Elastic agent configuration on to look at the Syslog flat file which will then send it to LME. I'm happy to try that out and see what the output looks like.

[aarz-snl]

Thats interesting -- ive never configured syslog to directly send to splunk/elasticsearch before but i assume you could just change the config to elasticsearch instead...

But yes you could also do it with a server where you collect logs to