It is advised that if logs from the ESA and Protectors need to be forwarded to an External SIEM, they should first be directed to the ESA. Utilizing the td-agent within ESA, these logs can then be forwarded concurrently to both the Insight in ESA and the external SIEM. This approach ensures a unified and efficient log management process while maintaining comprehensive audit trails and enhancing security monitoring capabilities.
For more information related to forwarding logs to External SIEM, refer Sending logs to an external security information and event management (SIEM).
Refer to the architecture diagram in Deployment with Audit logging flow to External SIEM for a comprehensive understanding of the communication flows regarding log forwarding between Protectors, ESA and External SIEM.