What is the best way to collect logs from the devices that I can't install Universal Forwarders on? Should I use the available apps like the ones for Checkpoint and Blue Coat? Would I even need these apps? Or should I just import the logs directly to a heavy forwarder?
These are the questions I have:
Do I need an app for a specific device if UF is not available to be installed on that device?
Do I need to install heavy forwarders for these types of logs?
I cannot speak for checkpoint, but forwarding BlueCoat logs via syslog to our heavy forwarder has been simple and effective for me.
Configure a UDP listener on a heavy forwarder and configure your bluecoat/s to forward logs to your heavy forwarder IP:port via syslog.
We've written a few custom search queries and dashboards but the BlueCoat app is a good starting point.
The best practice for cases like this is setting up syslog aggregation like syslog-ng, forward your logs to that and install the UF on the syslog-ng server.
I cannot speak for checkpoint, but forwarding BlueCoat logs via syslog to our heavy forwarder has been simple and effective for me.
Configure a UDP listener on a heavy forwarder and configure your bluecoat/s to forward logs to your heavy forwarder IP:port via syslog.
We've written a few custom search queries and dashboards but the BlueCoat app is a good starting point.