Hi, yes that's what I'm proposing but there should be more options. HEC would be a good standard if everything talked HEC, it doesn't though.
Syslog is becoming far more important to be integrated with various things, SIEM, splunk, ELK, internal and external SOC etc.... Perhaps HEC should replace it in future?
I don't think splunk are taking syslog seriously enough to say that their whole platform is perfect to assist with routing of events all over the place, but over-writes the host field with its own instance name, just to ruin the show!
It's a massive let-down considering splunk professional services were once here and built us a forwarding layer for syslog - that wont do the job.
I've seen others talk of it but nobody has suggested doing anything about it, instead we have to use the long way around, and even worse we have concluded that syslog agents will completely replace splunk LF's, requiring a different solution to get visibility of the assets.
... View more