On 25.04.2022 07:35, David Lang wrote:
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote:
As a slightly unrelated side question - what is this SIEM you're
gonna read the files with and send the events to? Can't you use some
solution to send events directly to SIEM, without intermediate files?
As surprising as it seems, a lot of the SIEM tools do a pretty lousy
job of processing network syslog.
I agree, but for some of them you can do much better by processing the
events internally and send the properly formatted event directly to SIEM
with - for example - omhttp than dumping events to files and have the
agent have to use even more iops to read and process them. I know that
perhaps mapping fields to CEF for Arcsight might not be very easy within
rsyslog itself but sending events to Splunk's HEC works like a charm.
MK
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
