I'm a Cybersecurity Engineer (not a sysadmin by title), and I'm trying to help out my inexperienced sysadmin in a small team. We currently don't have a syslog server, and I want to build one to consolidate logs from our Windows systems, firewalls, and switches. My experience with syslog is mostly on Linux, but since we're primarily a Windows shop, I'm unsure whether to set up the server on Windows using something like Graylog or to stick with Linux and its syslog options. I'm reaching out for advice on which platform might be better for this purpose.
4 Answers
You might also consider setting up a custom ELK stack on Linux or investing in Nagios Log Server for your Windows logs. It's often the quickest way to get your SIEM monitoring up and running. Keep Windows logs on Nagios and everything else on your preferred Linux distro with rsyslog.
I haven’t dealt much with Windows, but I suggest looking into Vector for your logging pipeline. It has a syslog source to receive and transform your data before sending it to your SIEM or other tools. Plus, check out Loki for quick and efficient log storage and querying!
To set up a central log collector, you can easily use NXlog on your Windows servers to send logs to the log collector. From there, it can forward the logs to your SIEM. That's a straightforward way to get started!
If you're looking to aggregate Windows logs, I recommend sending them directly to your SIEM instead of relying on a single point for log collection, which can lead to data loss or manipulation. Windows event logs are quite different from what you’re used to, and you might lose some important metadata if you go the syslog route.
True, Windows logs can be frustrating! I considered putting a SIEM agent on every Windows server, but that seems like a messy solution.
That sounds good, but how does NXlog pricing look? We're medium-sized and could justify costs, but we don’t need too many extra features.