syslog-ng Store Box Splunk/HEC and Sentinel destinations

The syslog-ng Store Box (SSB) appliance is built on syslog-ng Premium Edition (PE). SSB inherits most of syslog-ng PE’s features and makes them available with an easy-to-use graphical user interface. One of the typical use cases for SSB (and syslog-ng PE) is optimizing the logging infrastructure for SIEM / log analysis. Two recently introduced SSB destinations for log analytics are Splunk HEC (HTTP Event Collector) and Microsoft Sentinel.

The syslog-ng Store Box appliance can collect log messages from many different log sources, in many formats. These include UNIX / Linux / Windows system logs, firewall and router logs, various application logs, and now SQL sources as well. SSB can parse, rewrite, filter, and store log messages. In addition to the traditional syslog-ng features, the SSB appliance provides an interface to search log messages, and does complete log life cycle management, including archiving and backup. Finally, it can also forward events to various on-prem and cloud destinations. It allows you to optimize your SIEM installations both for resources and licensing, as you can collect log messages in a single step, store them on SSB, and only forward a reduced subset of logs to various analytics tools.

 

Before you begin

Version 6.6 of the SSB appliance was the first one to support the Splunk destination, and version 6.7 was the first to support the Sentinel destination. However, both features received performance and bug fixes, even minor feature enhancements since the original feature releases. Thus, it is recommended to always use the latest feature release. If you do not have SSB yet, download the 30 day free trial at https://www.syslog-ng.com/register/115581/

 

Configuring and testing SSB

Once you have SSB up and running, adding a Splunk HEC or a Sentinel destination and doing basic configuration is easy. Before doing the actual configuration, you must collect some crucial information from your Splunk and / or Sentinel administrator.

For Sentinel, these are the Workspace ID and the Auth Secret.

For Splunk, these are the Token, index name and URL.

This is the bare minimum information you need to get started. With the information at hand, you are ready configure SSB. Log in as an administrator. Go to the Log menu and select Destinations. By default, Remote Host is selected, which stands for a remote syslog destination. Depending on your environment, click on Splunk or Sentinel:

Enter the information you collected earlier into the relevant fields. Do not forget to give your freshly created destination a name. Once ready, click on Commit to save.

You are now almost ready for initial testing. You now have a new destination, but it is not connected anywhere. For that, you have to add it to a log path. When you install syslog-ng, there is a preconfigured log path that collects all logs coming in from the network to a destination called Center. You can add your freshly created destination below Center. From the drop-down list, select the name of the freshly created destination.

Once you have committed the changes, you are ready for initial testing. For testing, you also need some log messages. You can direct a syslog-ng client to one of the network sources of SSB or use the loggen utility of syslog-ng to generate log messages.

If you expect to forward only at a low message rate, the default configuration is perfect. However, if you expect a higher message rate (over 10k events a second), it is worthwhile to do some performance tuning. You can set the number of parallel connections, the number of messages sent at once, and in case of Splunk, you can also configure multiple destination URLs. In this case, syslog-ng will automatically load-balance log messages among the URLs without any further software components.

 

Source: https://www.syslog-ng.com/community/b/blog#pifragment-836=5

 

About DT Asia

DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.

Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.



Related Articles

Taiwan CyberSec event

Reflecting on an incredible experience at the Taiwan CyberSec event! 🌟 Engaging discussions, groundbreaking insights, and invaluable connections made this event unforgettable. Thank you to all the participants, speakers, and organizers for contributing to this dynamic exchange of ideas. Let's continue working together to enhance cybersecurity worldwide! #DTAsia

ThriveDX: Meet-and-Greet with Partners in Jakarta

ThriveDX organised a Meet-and-Greet session at Kedai Kopi Tenong in Jakarta, together with PT Mega Cyber Security on September 5th. Thank you to the partners who attended the event: PT Alumagubi Raya Indonesia – Franky Yap, Robby Hartana Docotel – Nico Amon, Yudis Tuasamu PT Global Intikarya Sejahtera (GIS) – Ronald Romein, Lhesli Wuisang Nusantara […]

DT Asia 15th Anniversary

15 amazing years of delivering innovative cybersecurity technology and solutions across Asia Pacific since 2007! DT Asia is proud to say we have come far on our journey, where we have achieved incredible growth milestones in Asia – and we did not do it alone. Our accomplishments today are only possible because of the continuous support from our partners, […]

This Month in Cybersecurity: The Weather is Heating Up and So Are Cyberattacks

At the time of writing, much of Europe and the U.S. is in the midst of a major heatwave, delivering record temperatures and concerns about climate change. Just as the heat is rising, so is the threat of cyberattacks. New data has emerged that reveals 2022 is looking like it could be the worst year […]

IndoSec 2022 : Indonesia’s Premier Cyber Security Summit – Mega Cyber Security

DT Asia Pte Ltd is proud to be one of the keystone sponsors together with Yubico & ThriveDX to PT Mega Cyber Security in this upcoming IndoSec 2022 event on 6-7 September 2022. Based in Jakarta, PT Mega Cyber Security is our joint venture partner and will be participating in this event showcasing Yubico and […]

Contact DT Asia Group Hong Kong

Address: Unit 929, Kowloon Bay Industrial Centre,
15 Wang Hoi Road, Kowloon Bay, Hong Kong
Tel: +852 58010001
Emailsales@hk.dtasiagroup.com

Like Our Facebook Page :)