Forum Discussion
Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
Hi everyone, what are the advantages of using Cribl or Logstash over a CEF log collector via AMA for ingesting firewall logs such as Palo Alto for example into Microsoft Sentinel?
In a typical scenario, how would you configure the ingestion to optimize performance, scalability, and cost?
What do you think? Let’s discuss and share experiences!
MarPasCribil and Log stash do better work by enriching logs, log reduction, transformation, enrichment, routing etc while AMA log ingestion allows you to upload the basic logs in Common Event Format, for Palo Alto. When you look for advanced filtering, Cost Reduction and Enrichment data better use cribil. In some scenarios, you need to map data like "Location - IP or any other enrichment". Logstash and Cribil offering paid options as well. Any specific reason you are looking for this ?
There isn’t a specific reason, but let’s take Palo Alto’s CEF data as an example: we can leverage auxiliary logs and summary rules to optimize, enrich, and transform the data while also reducing costs. I’d love to hear other users’ perspectives on this approach.
Additionally, if we were working with multiple data sources, tools like Cribl or Logstash could prove particularly useful, especially considering a potential implementation.
What do you think?
