I have an interesting scenario. Does anyone know if it is possible to process logs collected from the universal forwarder like a dashcam? For instance, in this case I want to let stream run on a box, collect say a 24 hour rolling window worth of data and discard anything older but not send those logs to the indexes unless something that happens to warrant the collection. The thought being here that the stream data will contain forensics about an event but I don't want thousands of endpoints sending stream data unnecessarily all the time. If however I find an event that warrants inspection, I want that/those endpoints to send their stream data for analysis.
I thought about doing something with a forwarding queue and disabling forwarding for that source until I need it and managing that enable/disable through some mechanism, either DS or something manual.
I'd love to see any thoughts around this.
Thanks!
↧