Pretty sure if you got the tap correct, you could run a Docker SIEM to log it all. But it's the capture first that's the tricky bit. I have a couple of switches support mirroring, but the topology would need re-jigging.I wonder if you can stream the IDS logs to the NAS? Hey you can then try setting up a SIEM too
Indeed. Security spend is like insurance: no one likes it, especially the accounts. Reporting is one way to demonstrate the benefits: it's hard to quantify the cost saving to productivity and infrastructure resources being used for non-business activities (CPU, bandwidth, power, cooling, hosting, etc).You're always better off with more than less information. Especially in terms of security.