Network and syslog ingestion

This article explains how network and syslog data is ingested into Kaseya SIEM, how that data is routed to organizations, and what you should expect to see in the platform once ingestion is working.

Use this article to understand how log‑based and network telemetry enters Kaseya SIEM, not how firewall devices or network equipment are configured.

This article explains:

What network and syslog ingestion means in Kaseya SIEM
Common types of sources that use syslog‑based ingestion
Where ingestion behavior is configured in the UI
How ingested data is associated with an organization
What visible outcomes indicate that ingestion is working

Network and syslog ingestion in Kaseya SIEM

Network and syslog ingestion refers to the process by which log‑based telemetry from network devices, firewalls, and other infrastructure sources is received and analyzed by Kaseya SIEM.

Unlike endpoint or SaaS integrations, network and syslog sources typically:

Send data outbound to the platform
Use standard log formats such as syslog
Do not require an “add application” onboarding flow

Once received, this telemetry is processed and correlated in the context of the organization it is routed to.

Network and firewall log ingestion uses a syslog receiver model, where a deployed agent is selected to receive and process syslog telemetry for an organization. Firewall and network devices are configured externally to send logs to this agent using the destination values shown in Kaseya SIEM.

Note: Management of application configuration overrides is expected to improve in a future update, but the underlying ingestion model and organization‑scoped behavior will remain the same.

Common network and syslog data sources

Network and syslog ingestion is commonly used for infrastructure and security systems that generate log‑based telemetry.

Examples include:

Firewalls and network security appliances
Network infrastructure (routers, switches, load balancers)
VPN and remote access systems
Authentication or identity systems that emit syslog events
Other infrastructure devices that generate operational or security logs

These sources send log data to Kaseya SIEM using supported log formats. The platform processes and evaluates this data after it arrives.

Firewall and network device ingestion follows a vendor‑agnostic syslog model. Supported firewall platforms are configured externally to forward syslog telemetry to the destination values displayed in Kaseya SIEM (IP address, port, and protocol). As long as the device is a supported vendor and forwards logs using these values, Kaseya SIEM will ingest and analyze the data. The SIEM interface remains the authoritative source for supported firewall vendors.

Components involved in ingestion

Network and syslog ingestion relies on platform components that define how incoming log data is received and handled.

These components include:

Syslog collectors, which receive log data over supported protocols
Firewall and network log analyzers, which normalize and process incoming logs

These components control ingestion behavior only, such as receiving, filtering, and storing logs. They do not configure or manage the source devices themselves.

Where ingestion is configured

Ingestion‑related configuration is managed from Settings > Application Configurations.

From this area, administrators can:

Enable or adjust syslog ingestion components
Control how incoming logs are processed after arrival
Manage ingestion behavior at a global or organization level

These settings determine how Kaseya SIEM handles data once it is received, not how external devices send data.

How network and syslog data is associated with organizations

Network and syslog data must be associated with an organization so it can be analyzed in the correct security context.

Depending on how ingestion is configured:

Incoming data may be explicitly mapped to an organization during integration setup
Data may be routed based on predefined ingestion configuration or organization‑level overrides

Once associated:

Alerts, investigations, and reports are scoped to that organization
Network and syslog activity can be correlated with other telemetry sources

What you will see after ingestion is working

When network and syslog ingestion is functioning correctly:

Log‑based activity becomes available for analysis and correlation
Related alerts may begin to appear based on existing detection logic
Network and infrastructure activity can be reviewed alongside other sources in investigations

Network and syslog sources do not always appear as standalone applications in the same way as SaaS or endpoint integrations. Their presence is typically reflected through incoming activity, alerts, and investigation context rather than an onboarding status.

Validating network and syslog ingestion

After enabling network or syslog ingestion, validation typically involves confirming that:

Log data is being received by the ingestion components
Activity from network or infrastructure sources appears in alerts or investigations
Data is associated with the correct organization

If expected data is not appearing, review:

How the data source is mapped to an organization
Ingestion‑related application configurations
Organization‑level visibility and permissions

Fine‑tuning ingestion behavior and filtering is handled through application‑specific settings.

Integration‑specific network and firewall ingestion

Network and syslog ingestion provides the general model for how log‑based telemetry enters Kaseya SIEM.

Some log‑based sources are configured using application‑specific ingestion logic and organization‑level overrides. Firewall log ingestion is one such example.

For step‑by‑step guidance on configuring firewall log ingestion using the Firewall Log Analyzer application, see Configuring Firewall Log Analyzer (Firewall log ingestion).

That article builds on the concepts described here and explains how firewall logs are received, processed, and validated for a specific organization.

Role and permission considerations

Managing network and syslog ingestion requires administrative permissions.

These tasks are typically performed during:

Initial platform onboarding
Expansion to include additional network data sources
Environment‑specific ingestion tuning

Technicians and analysts interact with the resulting alerts and investigations but do not manage ingestion configuration.

Key takeaway

Network and syslog ingestion defines how log‑based telemetry is received, processed, and routed in Kaseya SIEM. Configuration focuses on ingestion behavior within the platform, while configuration of source devices is handled externally.

	Need help? Submit a Kaseya Helpdesk request.
	Want to talk about it? Head over to Kaseya Community.
	Have a new feature idea? Visit the Kaseya Ideas portal.
	Provide feedback for the Documentation team.