Hi,
We are running SA 10.5.
Currently, most of our logs are sent to Graylog, helping out DevOps teams on operational matters. Windows logs are sent up with NXlog, we have some syslog, app logs are sent with graylog-collector in GELF or plain format.
In order to support our security analysts as well, using SA, I'd like to send the raw logs that are coming to the Graylog right before they enter, for example with Logstash to split the flow.
My question is: Can I send a stream of logs directly to the VLC's rabbitMQ? What would be alternative ways to push logs out to the RSA chain otherwise? Straight to the decoder somehow? or ESA?
Thank you.
Best,
fred
Hello
As long as you can get the logs into security analytics then we can parse them.
If the logs reside as files on the disk then you could upload them with the sftp agent.
If you can send them directly as syslog then that would be even easier.
Would any of these ways be possible?
Once you have the method of getting the logs into SA we can assist with the rest.
Sent from my iPhone