I am trying to find a definitive answer as to if the ESM can handle receiving logs from SFTP source (Globalscape specifically). I've seen threads that mentioned that an ELM is required in order to use the SFTP protocol to receive logs. In our environment, we are hoping to use SFTP to move very specific log files into the ESM, but I am drawing a blank as to how to do this.
Not sure at all. One of the items I am trying to figure out. We do have Receivers though.
But looking at this PDF (https://www.mcafee.com/au/resources/data-sheets/ds-siem-supported-devices.pdf) is what leads me to thinking the ELM is needed. If you search "SFTP" within it. It has "ELM only" beside it's name. Just looking for some experiences form someone who has implemented it.
Thanks everyone. I've noticed the SFTP option when adding a device but I have not had an successful with that. You all are probably right with my confusion, and it being a user error . So let me give the use scenario, and perhaps someone could advise on how to proceed:
We have a product here that can produce logs but not send logs to the SIEM. The idea was to use Globalscape FTP to move the files into the SIEM. I was attempting to set a new data source as a generic SFTP, but no luck. Since the SIEM is not an ftp server, would this idea not work? Any thoughts or advice from anyone?
Appreciate it all.
You can't push the logs over SFTP to the receiver, but the receiver can pull them via SFTP. So if your data source can write to a directory where an SFTP server can make them available, then the receiver can log in and download them via SFTP (or NFS, CIFS, etc).
You can get the logs into the ESM. You would setup a data source on your receiver and set the Data Retrieval field to SFTP. Once you change the data retrieval to SFTP, or another type, you will see the options for credentials, path, timing and so on. See the image for an example.