Hey everyone! I'm on the hunt for some recommendations for setting up a syslog server in our environment. We'll mainly be collecting logs from FortiGate devices and Windows servers, and since our entire networking setup is based on Fortinet, it would be great to hear from anyone with experience in this area. I've never worked with a syslog server before, so I'm pretty new to all of this. The main goal is to collect logs efficiently so another team can review and analyze them later. Thanks for your help!
5 Answers
If you're comfortable using Linux, you can easily set up a small server on any spare desktop you might have. All that's needed is a decent network connection and some disk space. I recommend using Rsyslog as your log server—it allows you to keep logs from individual hosts organized separately. Consider using a tool like Checksyslog to filter out unimportant entries and send the rest to your security team. If you'd like, I've got a longer guide and some sample code linked here!
When considering syslogs, remember you have two main purposes: security reviews through a SIEM and fault detection using a Network Management System (NMS). If you currently lack a good NMS, I’d recommend getting one set up first. Even if you don’t have enough dedicated security staff for a full SIEM, you might still add longer log retention to your NMS to fulfill that role temporarily. It really all comes down to what your specific needs are and the resources you have available.
We’ve been using Graylog in our Fortinet and Cisco environment, and it’s been fantastic! Setting it up was straightforward, plus it allows for searching, generating reports, and enabling alerts if needed. For the Windows servers, remember to install a collector agent to send logs to Graylog. We use NXlog for that, and it works like a charm!
If you happen to use Crowdstrike, they offer a full SIEM solution now. You’d just need to set up a minimal syslog-ng or Rsyslog server to capture device logs, and the Falcon agent can forward those to the SIEM seamlessly.
Just a heads up, if your goal is to have logs collected for a team to review or analyze, it's crucial to keep in mind how those logs will be processed. You don’t want to create a single point of failure by centralizing all logs into one server. If the tools your team is going to use already support log aggregation, it might be better to point each log source directly to those tools instead. This way, you can avoid losing logs due to issues with the log server. But if they want you to establish your own SIEM, Rsyslog alone might not be enough for that.
Good point! Having multiple redundant destinations for syslogs is definitely an option to avoid that single point of failure.
Yeah, Graylog has been great for us too! Just ensure you have that collector agent set up on your Windows servers for seamless log shipping.