Log shipping & retention
complete
Nate O'Brien
complete
The general request has been developed and delivered in EA, soon to officially launch. We've documented all of the sub-asks internally and across other canny requests. More info to come in the official launch.
P
Peter Strahan
We would love to be able to get the log activity out of the closed Huntress system to an external SIEM such as MS Sentinel. This is becoming a requirement for larger SME & enterprise clients who are happy with Huntress but are being swayed by defender due to integrations.
Mason Schmitt
For log sources we'd like to send the following
- Windows security event logs
- pfSense firewall syslog
- Suricata syslog
- Switch syslog (for seeing ip source guard and arp inspection alerts)
- AP and/or Wi-Fi controller syslog
- OpenVPN auth logs
- File server audit logs (specifically from Samba in our case)
- PacketFence/FreeRADIUS syslog
- 1Password account activity
- M365 and M365 Defender audit logs
For the Windows logs, I'd be happy to have your agent collect and send the log data.
For the cloud services (1Password and M365), both have integration methods for shipping logs directly to a SIEM.
For all the other logs, rather than have one of your Windows agents collect this data, I'd rather use a single log shipper, per customer. That could be an ELK log shipper or a syslog feed. Many of these logs are on hosts that are not directly exposed to Windows machines and thus a Windows agent wouldn't be able to access these logs sources.
E
Ed Murphy [Product Manager - Huntress]
Chris Conway - Huntress is considering a "SIEM-lite" offering would love to hear more from those who upvoted here around priority of the specific log sources
C
Chris Conway
Ed Murphy [Product Manager - Huntress]: I'd prioritize them like this:
- System logs
- Syslogs
- Azure AD logs
- Unified audit logs & sysmon logs would be tied for 4th.