Capabilities & Real Log Alignment
Understanding how closely each target system replicates logs from real production systems
| Target | Alignment Level | Field Format | Reason for Alignment Level |
|---|---|---|---|
| Splunk HEC | Full Alignment | Original format (format-specific) | Logs are sent in their original format, exactly as they appear from a real production system. Splunk processes them using the same mechanisms as production logs, ensuring 100% compatibility with existing searches, dashboards, and detection rules for all log types. |
| Elasticsearch | Full Alignment | JSON (ECS-compliant mappings) | All original event data is preserved and correctly mapped to the Elastic Common Schema (ECS) standard. Logs replicate the same structure and data as from a real production system, ensuring complete compatibility with existing queries and detection rules. |
| Azure Sentinel | Not Implemented | N/A | Support is planned but not yet implemented. |
Understanding Real Log Alignment
Full Alignment means the target system receives logs that replicate the same structure and data as logs from a real production system. All original event data is preserved, and the logs are formatted in a way that the target system can process using its native mechanisms, ensuring complete compatibility with existing detection rules, queries, and visualizations. This capability applies to all log types sent to that system.