[neurotixz]

In a nutshell (I have been in Cybersecurity for 18 years...) one key aspect of cybersecurity is to centralize all logs of security (and a few other tools) in a central repository and use that data to identify threats through rules, correlation, ML, analytics or any other means (SIEM space). Also compliance requirements...

Basically every vendor has its own formats, fields and the way to centralize this data (syslog still rules...) and parse it in a common way (a source IP is a source IP in all tech) has been a pain point since forever. There is basically a whole industry around it, and a whole bunch of logstash parsers have been scarificed. Even better is that vendors have a tendency to change format once in a while, so even some you have will break way more often then they should. Many vendors dont see that as an issue as it locks their clients in.

This is another attempt at solving this. It does seem to have traction for once, and nobody wants to piss off Amazon, if they make this a prerequesite to be on their marketplace then it will actually work.

[samstave]

Back in 1999 I worked at a company as IT manager, and the CIO had me parsing logs every morning. On paper. On a line-type printer. We fed the logs directly to the printer in real-time because he was concerned if a system had been hacked that they would fuss with the logs and he wanted a physical print out in real time to thwart any efforts to munge the logs post hack. Highlight any potential threats with an actual highlighter.

This sucked.

However, it really taught me how to skim logs for threats in the physical form super fast...