File (Linux) Source (NG-SIEM)

Example
yaml
sources:
  syslog_udp_1514:
   type: syslog
   mode: udp
   port: 1514
   sink: next-gen-siem-syslog-udp
   maxEventSize: 2048
   
  var_log:
   type: file
   include:
    - /var/log/apache2/access.log
    - /var/log/*.log
   exclude:
    - /var/log/*.gz
   sink: next-gen-siem-fileread
  sinks:
   next-gen-siem-syslog-udp:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    maxEventSize: 910000
    maxBatchSize: 12000000
    workers: 4
  
  next-gen-siem-fileread:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   maxEventSize: 910000
   maxBatchSize: 12000000
   workers: 4
Introduction

This configuration sets up log collection on a Linux host for forwarding to NG-SIEM using HEC-based sinks. It collects syslog messages over UDP and local log files from specified directories. Each source is routed to a dedicated sink with its own ingestion token and endpoint.

Step-by-Step
  1. yaml
    sources:
  syslog_udp_1514:
   type: syslog
   mode: udp
   port: 1514
   sink: next-gen-siem-syslog-udp
   maxEventSize: 2048
   
  var_log:
   type: file
   include:
    - /var/log/apache2/access.log
    - /var/log/*.log
   exclude:
    - /var/log/*.gz
   sink: next-gen-siem-fileread

    This fragment defines two sources configurations: syslog_udp_1514 and var_log which are used in Basic Linux setup for NG-SIEM. The first collects Syslog messages over UDP port 1514, and the second collects from specified paths.

  2. yaml
    sinks:
   next-gen-siem-syslog-udp:
    type: hec
    token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
    maxEventSize: 910000
    maxBatchSize: 12000000
    workers: 4
  
  next-gen-siem-fileread:
   type: hec
   token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
   url: https://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.ingest.YY-Y.crowdstrike.com
   maxEventSize: 910000
   maxBatchSize: 12000000
   workers: 4

    This fragment defines two sink configurations used in Basic Linux NG-SIEM setup. The first sink receives data from syslog_udp_1514 and second from var_log . Both use the HEC protocol to transmit events.

  3. Event Result set.

Summary and Results

This example demonstrates a basic Linux Linux NG-SIEM configuration that collects syslog events over UDP and local log files, forwarding them through HEC sinks to Crowdstrike's ingestion platform. Each sink is uniquely configured for the associated sorce with independent tokens and URLs.