I'm planning to have a subset of end users running Chromebooks and would like to ingest system logs for those devices into a SIEM solution. Is there a way to do this?
I see from Google documentation that there's a manual process for retrieving logs, but I'm not seeing a method to automatically forward logs to a SIEM solution in real-time.
Chrome OS syslog implementation is rsyslog.
While it is capable of forwarding to a remote, production Chromebooks have a read only rootfs and verify its integrity. Developer mode to change it has void your warranty style warnings, due to disabling signed images. While this degrades to the security more like a regular Linux box, which certainly is manageable, it removes the advantages of root of trust.
Possibly you could enhance Chromium OS to symlink in an rsyslog config in user storage. A challenge there would be to persuade the project to adopt the feature.
Overall, consider what value you would get out of syslog from a host whose immutable operating system is a feature.
