[Graylog 4.2] Output a copy of logs to a SOC or SIEM platform

1. Describe your incident:
We have a central SOC for corporate that is running QRadar and some Azure Sentenial. ideas?

2. Describe your environment:

  • OS Information: RedHat 8
  • Graylog: 4.2 single deployment on bare-metal

Service logs, configurations, and environment variables:

# Processor Status
1 Message Filter Chain active
2 Pipeline Processor active
3 GeoIP Resolver active
4 AWS Instance Name Lookup disabled

3. What steps have you already taken to try and solve the problem?
I have tried the only 2 options we have, GELF and STD output, but not sure how to go about such log sending outside of the platform if the remote end does not support GELF.

4. How can the community help?
I would like to check with the community on a way to create an output from Graylog to these SIEM solutions. Any

Any hint and tips would be appreciated.

-HMB

Hello @hmb104

There are other Outputs but most of them as you noticed are for Enterprise addition.

You can require a free license but the amount of data has to be under 2GB day. If you have an older license you can be Grandfathered in for the 5 GB day.

I don’t know much about QRadar & Azure Sentenial to be any help.

1 Like

Thank you very much. That was very helpful. I have tried to understand how much data does my deployment parse per day, but I was not able to tell. There are some data/metric under the indices tab, then also there is some under the overview tab. Any recommendation on how to figure out how much data in GB my systems are sending to Graylog?

Best,
Hmb

There is, Navigate System/Overview shown here

Each one of those bars is a day, hover your cursor over it and it will show you .
Hope that helps

That is very much appreciated. I think I’m under 2GB/day so I’ll request a license and see what I can do. Thank you very much for your helpful comments.

Regards,
Hmb

1 Like

There is a Community Syslog Output plugin that works perfecly on the latest versions of Graylog, 4.2.x: GitHub - wizecore/graylog2-output-syslog: Customizable, production ready syslog and ArcSight output plugin for Graylog2
I’m using it for the same use case that you mentioned, but in my case, to send some events to a Central Microfocus ArcSight ESM.

Maybe this can be useful for you.

Regards,
Alejandro

1 Like

Thank you very much. I have tested it and it works well :).

-HMB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.