I'm planning to start an integration between Splunk and ESET endpoint security cloud platform, but I facing the following issue:
the Syslog-ng server started receiving uncleared/encrypted logs from the ESET endpoint security, so the logs appear on the HF server like this:
^A^B
^L
7 ^]
^W
^^
^Y
^X
#
^W
(^D^C^E^C^F^C^H^G^H^H^H ^H
2
I think I want to decrypt the logs when received by the syslog-ng because Splunk can't handle any decryption process, I need help with how I can decrypt the logs in the Syslog-ng.
It looks like logs from ESET are encrypted.... because yes. I tried with syslog-ng and rsyslog but result is the same. I saw in the network that similar issue was reported directly to ESET
Firstly, it's unclear what logs we're talking about and how they relate to syslog. If it's a cloud platform it's quite unusual to send raw syslog over open internet. If it's your local part of the installation (like the logs from the endpoints themselves) are you sure they are configured correctly? Are they supposed to send syslog?
Hi,
Did you find solution? I have the same issue.
Since you're looking for help for syslog-ng configuration, your best bet is to join the syslog-ng community.
But, from a Splunk architecture/design perspective you are on the right track. Typically people use a separate syslog receiver that writes to disk (like syslog-ng), and then have Splunk monitor that. This way you reduce the coupling for situations where you have to restart Splunk and don't want your syslog ports to be down.
That being said, there is a Splunk Connect for Syslog app that can be used for receiving syslog data, but I am unsure if it can handle the decryption for you if you are in a bind. Overall I much prefer having syslog being received outside of Splunk.