Send Actionable Alerts to SysLog Server

[AnthonyVO]

I am very impressed with SELKS and the visibility it provides into what is going on in my network environment. I have already made some network changes as a result.

I am currently using it in an IDP configuration watching a mirrored port on our core switch. We run predominantly a Windows environment.

I have set up my Syslog server (Syslog Watcher) so that it notifies me via Text if there is anything urgent that I need to deal with.

I would like to set up SELKS so that it pushes alerts to my remote Syslog server but I can't seem to get the pieces lined up.

I saw this issue where you talked about using LogStash but I am not sure how to proceed.

• https://github.com/StamusNetworks/SELKS/issues/139
• https://www.syslog-ng.com/community/b/blog/posts/sending-logs-logstash-syslog-ng/

I also tried to have Suricata log to its Container Syslog, and then have the Docker Daemon push those logs to the server logs with it pushing to my remote Syslog server but that just created a massive mess of server alerts without any actionable Suricata alerts.

• https://suricata.readthedocs.io/en/suricata-4.1.2/output/syslog-alerting-comp.html
• https://docs.docker.com/config/containers/logging/syslog/

I am not in a position where I can monitor SELKS full time so I need a reliable way to receive alerts when there is something I need to attend to.

Any help would be much appreciated.