How to parse ADS generated syslog messages for SIEM?
Parsing rules in syslog messages for SIEM generated by ADS
Product: Flowmon ADS
How to create parsing rules for ADS generated syslog messages for SIEM systems?
|Steps to Reproduce:
ADS supports syslog events exports in CEF (Common Event Format), see the user guide:
This is a standardized format for sending syslog messages. Therefore, if the SIEM client supports it, it should receive messages without the need to define its own parsing rules. What perspective priority in ADS corresponds to the syslog severity and CEF severity is described in the table.
If the SIEM client doesn't support CEF, then it would be needed to create custom parsing rules. For that, an inspiration can be found here in the decription of the integration between Flowmon and FortiSIEM, which is a SIEM client:
For testing the parser it is adviced to use the sample messages that are available for download here: