Can NLS forward logs to a SIEM?

[gormank]

I'm guessing this would essentially be NLS acts as a log collector and forwards them in accordance w/ the syslog RFC. The existing function of NLS wouldn't change and log info would still be on it and available.

As it turns out, we need to forward log data to another system.

[mcapra]

Assuming you are not requiring any sort of filtering/processing done by NLS to be maintained in it's trip to the SIEM, that should be fine. All you would need to do is configure an output rule that is appropriate for the SIEM. If the SIEM accepts syslog messages as you've hinted at, you could probably do something as simple as this:

Code: Select all

if [type] == "forward_to_siem_or_something" {
    syslog {
        facility => "security/authorization"
        host => "mysiem.host.net"
        port => 1234
        severity => "informational"
    }
}

And you can edit the output rules in the GUI like so:

2016_12_29_09_19_32_Instance_Configuration_Nagios_Log_Server.png

[gormank]

Great!
The next system is expecting data sent by syslog or whatever the local logger is, so it should be happy. They want raw data.
I did look at the docs and the UI, but don't get where to put the info in your code block, sorry.

[mcapra]

In the "Global Configuration" section, the sneaky little "Show Outputs" button should open a new menu in which you can create output rules:

2016_12_29_09_34_37_Instance_Configuration_Nagios_Log_Server.png

[gormank]

Crap, you even circled it in red and I still missed it.
Perfect. The solves what could have been a big issue.

You can close this...

Thanks!