Managed SIEM

To account for scenarios where the syslog collector for generic syslog data may not be receiving logs for whatever reason Where devices that support sending syslog data to multiple destinations, it'd be nice to have it where Huntress allowed for us to ingest syslog data at multiple points to better account for gaps in logging data due to issues that may arise. Say I have 35 sites, all 35 sites send syslog data for all network equipment and other miscellaneous equipment back to Huntress All 35 sites have VPN's back to 2 different datacenters, in the event that pathing to one went down, for however many sites that affects, we'd no longer have syslog data from the affected sites and that doesn't queue up, however if all sites had connectivity to a secondary site and could send logs there, we'd still have log data. It'd require some amount of deduplication of logs but I was wondering if there were any plans to account for scenarios like this where the machine running the agent w/ syslog collection is having issues, site outages or network issues disrupting the ability to ingest log data. The only other alternative for this is to place some sort of a collector in each site, local to the equipment so it would still collect data and ship it off when it could, however this is the less desirable option as it requires dedicating equipment in each site to this function, and in the event there are any issues with equipment going offline, it'd have to be reviewed in person by someone vs remotely servicing it in some way. Hopefully this makes sense. Thanks!

We have multiple firewalls sending syslogs to different servers to allow for the agents on those servers to forward the logs to the SIEM. The source is always the name of the server, not the name or brand name of the firewalls. It would be nice if we could change the names of the source type and agent for them so they are easier to find.

If we could get some kind of alert if one of the log sources stopped providing logs to the SIEM, that would be really cool. DNS Filter had an error, and we lost like two weeks of logs before anyone noticed.

Netbird is a great Tailscale alternative with self-hosting capability that also supports ilsending network activity logs and asmin logs to 3rd party SIEM.

It would be great if we could send the NAS logs like authentication, samba auth logs, user creation/deletion, etc. from TrueNAS Scale.

Currently you can disable account wide Windows Event Logging Collection or use overrides to disable Windows Event Logging Collection per org or per host, however you can't delete/remove the Event Log Sources from within the Huntress UI. See attachment - the log sources still show after disabling the logging and you can't remove them. This can make it unclear how many data sources you have from a billing perspective. It would help to have a trash can icon to remove the data sources if logging has been disabled for Windows Event logs.

Can SIEM also look at FIM

It would be nice to have the ability to setup syslog for Huntress SIEM for Cisco switches/routers.

We'd like to see support for capturing logs from Cloudflare Zero Trust.

You should add a capability to track specific types of behavior. For instance, I would like to use SIEM to track when my clients move a large amount of data at one time. This can indicate malicious intent in some cases and we would like to be alerted to this when it happens.