Security log

SAYMON supports security event logging for subsequent auditing of security events by the administrator.

Security logging architecture

security log arch

Security log system has the following elements:

Log sources

SAYMON can gather log from the following sources:

  • log channels on the SAYMON server, separated by theme, that send logs to external systems via UDP or to the Kafka topics

  • external systems:

    • Kafka topics,

    • local log files (for example, syslog or auth.log),

    • other logging systems

Log shipper

A log shipper is a separate standalone component whose main tasks are:

  • receiving logs from various sources,

  • filtering incoming messages,

  • transforming received messages from one format to another,

  • sending the transformed data to various storage and processing systems.

SAYMON uses the fluentd log shipper.

Log storage

Log shipper sends received logs to the SAYMON server’s database. You can get those logs via SAYMON UI or REST API.

You can also send logs to external log storage systems with the algorithm set up in the log shipper. The router can either send specific messages to systems or send identical messages to multiple systems.

The amount of external systems is not limited.