Skip to Content
CyberDoyen SIEM 2.0 is released 🎉
Log Ingestion

Log Ingestion CyberDoyen SIEM ingests log data from multiple sources in real-time to provide comprehensive security monitoring and threat detection.

This page covers how to configure and manage log ingestion from various sources.

Supported Log Sources

Source TypeExample ProductsIngestion Method
SyslogFirewalls, Routers, Linux ServersSyslog Listener (UDP/TCP)
Windows Event LogsWindows Servers, DesktopsWinlogbeat / Agent
Cloud ServicesAWS CloudTrail, Azure Activity LogsAPI Pull / Agent
ApplicationsNginx, Apache, Custom AppsFilebeat / API

Default Ingestion Ports

ProtocolPortPurpose
UDP514Syslog Ingestion (default)
TCP6514Secure Syslog (TLS)
TCP5044Beats (Filebeat, Winlogbeat) ingestion

Tip: You can customize these ports in the configuration files during installation.

Configuring Syslog Ingestion

Open your CyberDoyen SIEM configuration directory.

Edit the syslog.yml file to configure listeners:

syslog.yml
listen_udp: true
listen_tcp: true
udp_port: 514
tcp_port: 6514
tls_enabled: true
certificate_path: "/etc/cyberdoyen/certs/server.crt"
private_key_path: "/etc/cyberdoyen/certs/server.key"

Restart the CyberDoyen Ingestion Service:

Linux:

sudo systemctl restart cyberdoyen-ingestion

Windows:

Restart-Service cyberdoyen-ingestion

Configuring Beats (Filebeat, Winlogbeat)

CyberDoyen SIEM supports native Beats protocols for structured log ingestion.

Sample filebeat.yml output configuration:

output.logstash:
  hosts: ["siem-server.local:5044"]
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/ssl/certs/ca.crt"]

Ensure the port 5044 is open between Beats agents and your SIEM server.

Configuring Cloud Ingestion

CyberDoyen supports fetching cloud logs using secure API credentials.

Example for AWS CloudTrail:

aws:
  access_key_id: YOUR_ACCESS_KEY
  secret_access_key: YOUR_SECRET_KEY
  regions:
    - us-east-1
    - eu-central-1
  services:
    - cloudtrail
    - cloudwatch
  poll_interval: 300 # seconds

Note: Secure your API keys and apply least-privilege policies for security.

Monitoring Ingestion Health

To verify if logs are being ingested correctly:

Check SIEM dashboards under Log Sources.

Use the built-in ingestion health API:

curl -X GET "https://siem-server.local:9200/_ingestion/health"

Expected response:

{
  "syslog_sources": 12,
  "beats_sources": 5,
  "cloud_sources": 3,
  "status": "healthy"
}

Conclusion

Correct log ingestion configuration is crucial for complete security coverage. Make sure to monitor your ingestion health and tune buffer sizes as your environment scales.

Last updated on
ArchitectureAbout Us