I have a goal to ingest the Router and Switches data into InsightIDR to enhance the network visibility. The initial configuration that I was hoping to go for is the Listen to Syslog, but we also have the goal to implement the InsightIDR Network Sensor.
What difference will the Syslog logs have from the Network Sensor logs? Should I do both or select just one? If one, which one.
Appreciate the comments and feedback.
Hi @jlaboy ,
the network sensor will listen for traffic east-west in your network. It will automatically pick up DNS, DHCP and IDS events and transmit those to log search (without the additional ENTA feature which comes with IDR Ultimate) this is a great source of truth for IDR to attribute traffic and monitor for IDS events based on our signature rules.
For the switches and routers, adding this provides a much more operational advantage, in that there will be no out of the box alerting or attribution, all of these sources would require the use of a Custom Logs event source, which ingests and logs (in text format) and sends them to the Raw Log logset.
I would certainly recommend the sensor, and as for the routers/switches, it might be useful for monitoring things like admin logins/actions. You can build custom alerts, as well as custom dashboards to help visualize the traffic/actions taken on these devices.
David