Hello Chris,
Sorry, I replied to your first message.
I did exactly what you are looking for, but, using syslog-ng on the remote
sensor.
- You first need to configure Suricata to log to syslog (i think it is the
default behavior)
- You then need to configure syslog-ng to send a copy of the Suricata log to
the PacketFence management IP address
filter f_suricata { match('suricata:' value("MSGHDR")); };
destination d_suricata { tcp(“PACKETFENCE_MANAGEMENT_IP"); };
log { source(s_syslog); filter(f_suricata); destination(d_suricata); };
- You need to allow tcp port 514 on the PacketFence firewall (edit the
/usr/local/pf/conf/iptables.conf file should be enough)
- Make rsyslog (running on the PacketFence server) to listen for remote syslog
messages
Uncomment "$ModLoad imtcp" and "$InputTCPServerRun 514" in /etc/rsyslog.conf
- Make sure alert pipe file exists (/usr/local/pf/var/alert)
mkfifo /usr/local/pf/var/alert
- Configure rsyslog to log remote Suricata log in alert pipe
:programname, isequal, "suricata" |/usr/local/pf/var/alert
- Configure trapping on PacketFence
trapping.detection = enabled
services.snort = disabled
services.suricata = disabled
- Remove the following check from pfcmd checkup
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/pfcmd/checkup.pm#L298
Comment lines 298 to 303
- Adapt pfdetect regex.
https://github.com/inverse-inc/packetfence/blob/devel/sbin/pfdetect#L103
Comment lines 103 to 131
Add the following after 131
if ( $_ =~
/^(.+?\s\d+\s\d+:\d+:\d+)\s+.+?\[\d+:(\d+):\d+\]\s+(.+?)\s+\[.+?\s+(.+?)\].+?\}\s+(.+?):.+?>\s(.+?):/
) {
$date = $1;
$sid = $2;
$descr = $3;
$srcip = $5;
$dstip = $6;
} else {
$logger->warn("unknown input: $_ ");
next;
}
Restart both packetfence and rsyslog
Let me know how it goes.
Cheers!
dw.
—
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
> On Oct 13, 2015, at 8:55 AM, Boley, Chris <[email protected]> wrote:
>
> I'm looking for the correct information to send syslog based alert data from
> a remote Suricata sensor to Packet fence.
> I'm unsure of how to make PacketFence know that it will be getting alerts via
> syslog .
> I've tried to find the appropriate documentation regarding this, however it
> seems a bit hard to locate.
> Can anyone point me in the correct direction?
>
> So far I think I would need to change suricata.yaml to reflect the following
> items (I'd be grateful for any advice there):
>
> # a line based alerts log similar to fast.log into syslog
> - syslog:
> enabled: yes
> identity: "suricata"
> facility: local5
> level: Alert
>
> # Define your logging outputs. If none are defined, or they are all
> # disabled you will get the default - console output.
> outputs:
> - console:
> enabled: no
> - file:
> enabled: yes
> filename: /var/log/suricata.log
> - syslog:
> enabled: yes
> facility: local5
> format: "[%i] <%d> -- "
>
> I'm using vanilla syslogd on FreeBSD as my syslog on the sensor.
> I realize I will have to make some changes to its config to forward the
> alerts to the PacketFence server.
> I'm not even sure if the syslog format that will be input from suricata to
> syslogd will be compatible.
> I might have to manipulate it with a template in the conf file.
>
>
> I'm happy to do the reading.
> I've googled and googled and found not much of any meaningful info where this
> topic is concerned.
> I was hoping someone might know of some useful documentation on how to
> manipulate PacketFence and get it to start acting on Suricata alerts...
>
>
> Chris Boley | Network Engineer | Cogentrix Energy Power Management, LLC
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
