NEXUS
Documentation menu

Docs · Using Nexus

Nexus Edge — Agentless Syslog Ingestion

Not everything can run an agent. Routers, firewalls, switches, IoT and OT gear still speak syslog — and Nexus Edge brings that telemetry in. Each syslog line becomes a real Nexus event that flows through the same pipeline as everything else, so devices at the edge get first-class detection without an agent.

Topic
Agentless ingestion · Edge devices
Formats
RFC3164 / BSD · RFC5424
For
Routers · firewalls · switches · IoT/OT
API
/ingest/syslog

What it does

Edge ingests syslog from devices that can't host an agent. It accepts both classic RFC3164/BSD and modern RFC5424 syslog, parses the priority value into its severity and facility, and turns each line into a real Nexus event. From there the line is indistinguishable from agent telemetry — it runs through the rule engine and on into alerts, XDR, SOAR and notifications.

  • Agentless — for routers, firewalls, switches, and IoT/OT devices that can't run an agent.
  • Both dialects — parses RFC3164/BSD and RFC5424.
  • Priority decoded — the priority value is parsed into severity and facility.
  • Real events — each line becomes a genuine Nexus event, not a separate side channel.

How to use it

1
Ingest a syslog file
Feed a log file in, tagging it with the device it came from.
bash
nexus-cli syslog-ingest --file router.log --device 192.0.2.7
2
Or POST lines to the API
Send lines directly to the manager, naming the source host.
POST /ingest/syslog
{
  "lines": [
    "<134>Jun 22 14:13:20 fw1 kernel: DROP IN=eth0 SRC=203.0.113.5 ...",
    "<134>Jun 22 14:13:21 fw1 kernel: DROP IN=eth0 SRC=203.0.113.5 ..."
  ],
  "host": "192.0.2.7"
}

REST API

endpoint
POST /ingest/syslog   # { lines: [...], host: "<device-ip>" }

How it fits the pipeline

An ingested syslog line is a first-class Nexus event. It runs through the rule engine, raises alerts, and flows on into XDR correlation, SOAR response and the Notification Hub — and it is checked against canary tokens along the way. Edge devices end up in the same detection pipeline as your agent-managed hosts.

Pairs with air-gapped deployments

Because ingestion is a simple local file or API call with no outbound dependency, Nexus Edge pairs well with air-gapped deployments. You can pull syslog from edge devices and process it entirely inside your perimeter — no cloud, no internet — alongside the rest of the local SOC.

Tips

  • Tag each ingest with the right --device so events attribute to the correct source.
  • Forward firewall and router syslog to a file, then ingest it on a schedule.
  • Write rules against the decoded severity/facility to catch edge-device events that matter.
No agent? No problem. The devices you can't instrument are often the ones at the perimeter. Nexus Edge folds their syslog into the same pipeline as everything else — detection, correlation, response and notification — so nothing at the edge goes unwatched.
PreviousFleet: Agent & ManagerNext Notification Hub