Prisma SaaS Integration with more than one Syslog System

Printer Friendly Page

Can Prisma SaaS integrate with more than one Syslog System?

 

As you may know, Prisma SaaS integration with an external Syslog server allows you to forward any type of log it generates.

It needs to be mentioned that you can only integrate with one Syslog for each tenant.

The reason for that is that the messages get deleted once they are read. Hence, if we have two systems listen to read the messages, using the same API credentials, the system which gets the message first reads it. So, the other system doesn't get a chance to read it as it will be deleted right after it was read the first time.

One option to implement this scenario would be to use a log forwarder and direct SaaS logs to that and, from there, distribute it to the other systems. You can take a look at tools such as "Splunk Universal Forwarder".

 

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Abouttheuniversalforwarder

Tags (3)