SIEM + SuperCharger - ensuring log collection


SIEM + SuperCharger - ensuring log collection

j

We're using 1 collector to handle ~3500 endpoints.  I've increased the destination log sizes to 1GB for ForwardedEvents (where we've directed the security logs to go).  I want to be sure I'm not allowing events to roll over and missing them.

Is there any guidance on ensuring that a SIEM is able to keep up with the logs being forwarded to event collectors before they roll over?  I noticed the log fills up fairly quickly in our environment.

bjvista

jmiz - 6/25/2019
We're using 1 collector to handle ~3500 endpoints.  I've increased the destination log sizes to 1GB for ForwardedEvents (where we've directed the security logs to go).  I want to be sure I'm not allowing events to roll over and missing them.

Is there any guidance on ensuring that a SIEM is able to keep up with the logs being forwarded to event collectors before they roll over?  I noticed the log fills up fairly quickly in our environment.

I'm not sure what SIEM you are using but the best way to ensure this is to use the Archive the log when full option.  Your SIEM should be able to process the archives and the current log.  The other option is to get a count of events from known start time and end time.  Then compare that number to what the SIEM has processed.

Also, it may help to filter the Security Log events for noise if you're not doing so already.  Supercharger has a built-in Security Log filter with noise suppression.  You can also create your own custom filter under Settings in Supercharger.

https://forum.logbinder.com/Uploads/Images/d8276413-9931-4aa6-997f-a380.JPG


GO


Similar Topics


Reading This Topic


Login
Existing Account
Email Address:


Password:


Select a Forum....








LOGbinder Forum


Search