Log Ingestion Options

Copper Contributor

Is anyone ingesting Fortinet Firewalls, ZScaler, and Cisco Meraki logs into Sentinel? All three data sources require a log forwarder (Linux Syslog). I might use the below flow as a scalable design


Data Sources -> Load Balancer -> VMSS or Individual Forwarders (With AMA & RSyslog/syslog-ng Daemon) --- sentinel workspace


As Meraki uses a different port "22033 by default" and file "meraki.conf". For example, CEF (Fortinet and Zscaler) uses TCP port 25226 or 25224 for forwarding traffic to the workspace, need assistance on the below queries please:

- Which option would be the best and cost-effective, VMSS-based log ingestion, or have two separate forwarders (One for CEF and another for Meraki)?
- In the case of the based method, can we set it up to accommodate traffic from all three sources?
- How can we manage encryption from data sources ->Load Balancer?


0 Replies