Just about any device in your network generates syslog events. That is why we now mine all syslog messages appearing in your network weather or not you know of their existence.
The software should be able to understand just about any type of syslog format now (while we continue to refine our parsing). If we do not understand it, we still provide it to you as a generic “unix” type. We set up a default minimum syslog priority of 4 (Warning) that can be customized to adjust the verbosity of the reporting to your preference. Most sites would want to stay at 4 otherwise it is like a fire-hose in most cases.
We are now collecting enough syslog data to also start correlating them with other types of events (IDS, Service Discovery, User Discovery, File Carving, NetFlow, etc.) in the cloud. This a very tall order since syslog data is usually quite bland and verbose. There might be some needles in there; but we definitively will need to use our COR language to find them. Let us know if you have a good heuristic; we will be glad to test it.
For now, besides a simple audit-trail, the syslog messages can also be used for trend analysis and somewhat reinforce what the other parts of our multifunctional system are saying. So, even though they do not provide a smoking gun, they are nice to have around.
