Syslog recommendations

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Post Reply
WilnarMasonik
Posts: 4
Joined: Mon Jul 18, 2022 1:46 am

Syslog recommendations

Post by WilnarMasonik »

I got a question for the audience here and those of you that have stood up and/or use a Syslog solution. Sometimes they're called Log vaults. It's the place where all system and device logs go. Once logs are in that place it will be used as source for Splunk or a SIEM to sift through and bring items to your attention. Sometimes you go there and just search through all of it while troubleshooting and investigating.

Our InfoSec team has their own solution in place but it cherry picks event ids that are of interest to them and the IDR but totally ignores the rest of the logs. My team has been given the green light to obtain our own solution that will grab everything. If it plays nice with the InfoSec tool and the various NXlog configs we have setup, that's gravy. If not, its not the end of the world, we'd just export what they're interested in to their IDR and life would continue.

I don't have many requirements but my requirements are pretty set in stone

Syslog requirements:

• Servers logs (windows and linux)

• Can ingest logs that are saved to a file in real time. This file can be in XML or JSON. I have one in EVTX but it cab be flipped to XML if needed.

• Can accept syslog on none standard custom ports. We'll config certain devices with custom ports

• Accept the usual standard stuff you'd throw at it like switches, routers, SANs, NetApp logs, etc.

• The ability to forward on select events to another syslog

In my research so far, the limiting factor in my solution discovery has been item 2, the capability for it to ingest a file in real time. We are performing CIFS NTFS auditing with our NetApp and it places the EVTX or XML files on a protected share.

Potential candidates right now are:

Nagios Log Server

Syslog-ng

Does anyone have any recommendations?
Jklre
Posts: 163
Joined: Wed May 28, 2014 1:56 pm

Re: Syslog recommendations

Post by Jklre »

What are your goals besides put all the logs in one place? Do you want to visualize the data and do alerting or just make dashboards?

You could do a raw ELK stack instead of nagios log server. Its open source and free. Nagios log server just has a robust alerting framework on top of the standard ELK.

Logstash (the L in ELK which is also in Nagios log server) has the advantage of doing log transformation so you can take and parse logs and mutate them into a single format you can dashboard against.
Post Reply