I have recently deployed SIEM for enterprises environment HA mode, I have some doubt about Syslog configuration on each MPLS VPN routers,does every routers is required to send syslog or Gateway router is sufficient to send syslog and provided the result.
What is best practice for Data Sources configuration in Ent. infrastructure.
Please share your input
It all depends on your security goals, network design, SIEM use case and current load on your SIEM devices. At minimum, I would start with gateway first. Also, I strongly suggest to collect flow data from your router/switches as it will give you greater insight on your traffic and capture anomalies.