using SO for Logs analysis without taps / pcaps, what level of analysis is possible on different kinds of logs from network devices

[danilansible]

Hello experts,

We are planning to start with SO for Network Log Analysis like from Zscaler, Netflow, WAF,other network device etc.
Im wondering what components can be leveraged for preliminary analysis of these ingested logs from different sources.
Does suricata / zeek work only incase of using taps/span ports for traffic pcaps and not with logs?

Can someone share thoughts please

Thank you

[robbiemarshall]

If the syslog traffic of those devices is being sent by the network device you're monitoring with SO, Zeek will see and parse the syslog files. Otherwise, your other option is to send syslog to one of your sensors from those devices. Documentation can be found here: https://docs.securityonion.net/en/2.3/syslog.html?highlight=syslog

[danilansible]

Thank you for the hints @robbiemarshall
Starting with ingesting cisco amp, ftd logs to SO(Standalone) found couple of hits here on the topic #6591.Hope that goes ok.
With the announcement/plan of excluding wazuh from SO, I'm trying to see how SO is better than wazuh interms of ingested log analysis.