I was reading through the Rapid7 documentation - it currently does not look like there is any native support for an integration with Zix secure email. According to Zix documentation, Zix supports SIEM integration via API calls and an API token. It also supposedly supports sending syslogs Realtime to a SIEM but it also requires a TLS cert to be configured.
So right now it seems like R7 does not support API calls to ingest logs through the Custom Log Ingestion. It does look like I should be able to ingest the logs via normal syslog over a TLS connection.
Does anyone have any experience with setting up syslog ingestion with a TLS cert? Any information would be appreciated.
You could run the Rsyslog server on the same host machine as the collector and then output the stream locally over localhost to the collector configured to Listen on Network port using a Custom Log event source.
Thanks for the link to the documentation and the reply. We plan on removing on-prem Zix devices in the near feature so syslog won’t be a long term solution.
What options are there for ingesting the logs from Zix via its API? If any.
You would need to write a script of some kind against the API and have the output write to a file or output to syslog to ingest them in via a Custom Log Event Source
