Hi Peter, On Wed, Aug 09, 2023 at 06:55:49AM +0000, Peter Czanik (pczanik) wrote:

Syslog-ng can send logs to Splunk, ElasticSearch / OpenSearch or Graylog, all which already have sigma rules integrations. Of course, many users use/abuse syslog-ng as a kind of SIEM-lite as it is very good at real-time alerting. However, as far as I can see, Sigma rules are better suited for threat hunting on the SIEM side.

If you already Sigma rules with syslog-ng or any other way: please share your experiences!

I discovered the existence of Sigma rules 1 month ago ;-) What I like about patterndb is the proximity to the generation of the matched message. I always like to do alerting as upstream as possible. In my opinion, Elasticsearch is too downstream, too much can happen in between, and I like alerting to be as robust as possible. This is why I was thinking it would be nice to be able to feed patterndb with SIEM patterns, in the likely event that the latter would become mainstream and provide an up-to-date database we could harvest periodically. There have been attempts in the past to setup a shared, public patterndb repo. If this succeeds with SIEM, I think it would become interesting to add some kind of support in syslog-ng - be it at least a conversion tool. just my 2 nano-bitcoins