Forum Discussion
Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
MarPasCribil and Log stash do better work by enriching logs, log reduction, transformation, enrichment, routing etc while AMA log ingestion allows you to upload the basic logs in Common Event Format, for Palo Alto. When you look for advanced filtering, Cost Reduction and Enrichment data better use cribil. In some scenarios, you need to map data like "Location - IP or any other enrichment". Logstash and Cribil offering paid options as well. Any specific reason you are looking for this ?
There isn’t a specific reason, but let’s take Palo Alto’s CEF data as an example: we can leverage auxiliary logs and summary rules to optimize, enrich, and transform the data while also reducing costs. I’d love to hear other users’ perspectives on this approach.
Additionally, if we were working with multiple data sources, tools like Cribl or Logstash could prove particularly useful, especially considering a potential implementation.
What do you think?
