SONiC Lite and SIEM Integration: Closing the Security Visibility Gap in Open Networking

White Paper Abstract

Network threats are growing faster than most security teams can respond. The IBM Cost of a Data Breach 2025 report puts the global average breach cost at USD 4.44 million, with a mean time to identify and contain of 241 days. Meanwhile, enterprise SIEMs miss an estimated 79% of MITRE ATT&CK techniques – the data exists, but the integration architecture fails to surface it.

This whitepaper examines how PLVision’s SONiC Lite – a lightweight SONiC distribution for DC, campus, and edge deployments – integrates with leading SIEM platforms including Wazuh and Splunk. We map SONiC Lite’s native telemetry capabilities against real SIEM integration requirements, identify where gaps exist, and lay out a practical five-layer pipeline architecture to close them.

Contents

I. Executive Summary
II. Problem Statement: The Security Visibility Gap
III. SIEM Platforms: A Brief Orientation
IV. SIEM Integration Requirements
V. SONiC Lite SIEM Capabilities & Integration Architecture
VI. SONiC Lite SIEM Integration: Validated Examples
VII. Conclusions

Key White Paper Highlights

• Why network devices are a blind spot for SIEMs – and what it costs. Enterprise SIEMs receive thousands of alerts per day yet miss the majority of known attack techniques. We trace the root cause to fragmented log pipelines, inconsistent formats, and devices designed without SIEM ingestion in mind.
• What SIEM platforms actually require from a network device. Four baseline capabilities must be in place before any integration is possible: structured syslog transport, TLS-encrypted log delivery, time synchronization, and event content covering authentication, configuration changes, and interface state.
• SONiC Lite’s key differentiator. Direct access to the Linux ecosystem on the switch enables on-device deployment of Wazuh agents, Filebeat shippers, and custom enrichment scripts, expanding integration scope without adding external infrastructure.
• A five-layer integration pipeline you can build from. A reference design covering log collection, RFC 5424 transport, normalization to ECS/CEF/OCSF, SIEM ingestion, and optional NetFlow telemetry.
• Lab-validated results with Wazuh and Splunk. What worked, what required extra configuration, and the operational gotchas that matter: RFC 3164 truncation risks, QRadar cold-start behavior, Elastic mapping explosion, and Splunk sourcetype mis-detection.
• An honest gap analysis. SONiC Lite covers core telemetry needs for most enterprise environments. The paper spells out where external pipeline work is required, and what regulated sectors like banking or government need to add.