Security Onion can consume many kinds of host logs. You can send logs to Security Onion via your choice of either Elastic Agent or Syslog:
- Choose Elastic Agent for comprehensive telemetry if you can install an agent on the host.
- Choose Syslog if you can’t install an agent but the device supports sending standard syslog. Examples include firewalls, switches, routers, and other network devices.
For Windows endpoints, you can optionally augment the standard Windows logging with Sysmon and/or Autoruns.