[syslog-ng] working with Sigma rules?

[Fabien Wernli]

Hi Peter,

On Wed, Aug 09, 2023 at 06:55:49AM +0000, Peter Czanik (pczanik) wrote:
> Syslog-ng can send logs to Splunk, ElasticSearch / OpenSearch or Graylog, all which already have sigma rules integrations. Of course, many users use/abuse syslog-ng as a kind of SIEM-lite as it is very good at real-time alerting. However, as far as I can see, Sigma rules are better suited for threat hunting on the SIEM side.
> 
> If you already Sigma rules with syslog-ng or any other way: please share your experiences!

I discovered the existence of Sigma rules 1 month ago ;-)
What I like about patterndb is the proximity to the generation of the
matched message. I always like to do alerting as upstream as possible. In my
opinion, Elasticsearch is too downstream, too much can happen in between,
and I like alerting to be as robust as possible. This is why I was thinking
it would be nice to be able to feed patterndb with SIEM patterns, in the
likely event that the latter would become mainstream and provide an
up-to-date database we could harvest periodically.
There have been attempts in the past to setup a shared, public patterndb
repo. If this succeeds with SIEM, I think it would become interesting to add
some kind of support in syslog-ng - be it at least a conversion tool.

just my 2 nano-bitcoins