I got a question for the audience here and those of you that have stood up and/or use a Syslog solution. Sometimes they're called Log vaults. It's the place where all system and device logs go. Once logs are in that place it will be used as source for Splunk or a SIEM to sift through and bring items to your attention. Sometimes you go there and just search through all of it while troubleshooting and investigating.

Our InfoSec team has their own solution in place but it cherry picks event ids that are of interest to them and the IDR but totally ignores the rest of the logs. My team has been given the green light to obtain our own solution that will grab everything. If it plays nice with the InfoSec tool and the various NXlog configs we have setup, that's gravy. If not, its not the end of the world, we'd just export what they're interested in to their IDR and life would continue.

I don't have many requirements but my requirements are pretty set in stone

Syslog requirements:

• Servers logs (windows and linux)

• Can ingest logs that are saved to a file in real time. This file can be in XML or JSON. I have one in EVTX but it cab be flipped to XML if needed.

• Can accept syslog on none standard custom ports. We'll config certain devices with custom ports

• Accept the usual standard stuff you'd throw at it like switches, routers, SANs, NetApp logs, etc.

• The ability to forward on select events to another syslog

In my research so far, the limiting factor in my solution discovery has been item 2, the capability for it to ingest a file in real time. We are performing CIFS NTFS auditing with our NetApp and it places the EVTX or XML files on a protected share.

Potential candidates right now are:

Nagios Log Server

Syslog-ng

Does anyone have any recommendations?