openwec icon indicating copy to clipboard operation
openwec copied to clipboard
verified publisher icon cea-sec

Add syslog output

Open WilliamBruneau opened this issue 2 years ago • 3 comments

Some SIEM can only receive logs in syslog messages. To support these SIEM, we need to add a syslog output.

cf RFC 5424.

It may be useful to add 2 variant of syslog output for TCP and UDP.

WilliamBruneau avatar Jun 15 '23 07:06 WilliamBruneau

Until this is implemented, a workaround can be (and an overkill) using the unixdatagram output to forward raw events to a tool that can process them further to conform to the requirements of different SIEMs.

https://github.com/cea-sec/openwec/blob/main/doc/outputs.md#unix-domain-socket

We do something similar using OpenWEC together with syslog-ng.

MrAnno avatar Nov 23 '23 13:11 MrAnno

I'll also add that a nice-to-have would be output to systemd-journald-remote, in the journald format, which has largely supplanted syslog on newer Linux distributions.

necouchman avatar Mar 21 '24 12:03 necouchman

I have OpenWEC and rsyslog sharing a box - OpenWEC writing to files rsyslog reads from. That way any issues with the syslog server don't result in loss of logs. HTH.

a139786 avatar May 09 '24 04:05 a139786