David's not wrong... lol Also buffering / caching the syslog down to disk also provides and then reading of to the SIEM a bit of data loss resiliency. It also provides us a small margin (a few days) of raw logging to reference in the event of some other need. SIEM outage, forensic needs, random app owner audit need, etc. ________________________________ From: rsyslog <rsyslog-boun...@lists.adiscon.com> on behalf of David Lang via rsyslog <rsyslog@lists.adiscon.com> Sent: Monday, April 25, 2022 1:35 AM To: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> Cc: David Lang <da...@lang.hm> Subject: Re: [rsyslog] Basic Rsyslog Troubleshooting
On Mon, 25 Apr 2022, Mariusz Kruk via rsyslog wrote: > As a slightly unrelated side question - what is this SIEM you're gonna read > the files with and send the events to? Can't you use some solution to send > events directly to SIEM, without intermediate files? As surprising as it seems, a lot of the SIEM tools do a pretty lousy job of processing network syslog. David Lang _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
