Where does my router syslog get sent to in SecurityOnion?

[tanc7]

I configured my router to send it's syslog over the LAN to my SecurityOnion node listening on port 514. I seen it working but I don't know where this information is stored.

https://docs.securityonion.net/en/2.3/syslog.html

I would like to parse through them so I can report on the IP addresses scanning my public IP by looking at it's firewall notifications. I already can do this and make a formatted csv file.

[cm-ops]

One the data goes through the ingest pipeline it will be in an index so-syslog-* you can run this command from the CLI - so-elasticsearch-query _cat/indices | grep syslog to see the indices. You would run that on your node that is performing search node functions.

[kwwv]

@tanc7 fwiw you can also use metadata.pipeline:syslog in kibana discovery to view data that has passed through the syslog pipeline.