Dear Sir,
Thank you for your explanation.
>From what i understand, i can use sec with syslog server in this environment:-
1) Firewall/IDS using syslog (udp514) forward its logs to remote syslog server
(rsyslog) and output it in text file. From this output file i can use SEC to
read from the output file as an input.
2) Same goes when i want to pass the output file from SEC to remote syslog
server. I need to configure the rsyslog to take input from the SEC.
My environment is like this,
i have two syslog server. One is collecting logs from the security devices at
remote site ( branch site), and do some filtering or logs standardization,
before past it to another syslogs server( which i called it HQ syslog server,
since it will receive from one or more syslog server at branches ). So, I want
to use SEC at the branch site to do some filtering/correlating to avoid
bottleneck at HQ syslog server.
Thanks.
--- On Sun, 2/6/13, Risto Vaarandi <risto.vaara...@gmail.com> wrote:
From: Risto Vaarandi <risto.vaara...@gmail.com>
Subject: Re: [Simple-evcorr-users] Correlate Syslog logs using SEC
To: "termo meter" <termo_me...@yahoo.com>
Cc: simple-evcorr-users@lists.sourceforge.net
Date: Sunday, 2 June, 2013, 11:07 AM
If your questions meant if SEC can act as a syslog server and listen directly
of port 514/udp or some other widely used syslog port, the answer is no, since
it accepts input through files and pipes. There are several well-designed and
efficient syslog servers around (in particular, rsyslog) which focus on fast
message reception, and more importantly, it is trivial to connect SEC to any
syslog server. Therefore, implementing a syslog server inside SEC would be like
reinventing the wheel. For making a connection with syslog server, configure it
write to all relevant events to a file and specify this file to SEC as an input
(using the --input option). Also, some people have configured SEC to be started
by the syslog server, where syslog server then feeds SEC through a pipe
interface (for example, if you are running syslog-ng, you can use the program()
destination driver for this).
If you one of your questions meant if SEC can act as a client to a remote
syslog server, the answer is "it depends on the protocol". Since the 2.7.1
version, you can employ 'udpsock' and 'tcpsock' actions to send custom data to
tcp and udp remote peers. This allows for talking to remote BSD syslog servers
with relatively little effort, because it is not very hard to write a
formatting action for syslog data. However, talking to IETF syslog servers over
TLS is trickier.
There is a very simple workaround to this problem, though -- instead of talking
directly to remote server, you can pass data to the *local* syslog server which
then handles all communication with any remote syslog servers. You can do it
with employing external tools like logger, but also with SEC's own 'udgram' and
'ustream' actions for making a more efficient direct connection to the UNIX
socket of the local syslog server. Since you mentioned that you would like to
store the output also in a file, you could do this with the 'write' action.
Hope this information helps. There are several ways of addressing the problems
you have mentioned, and a lot depends on the more precise description of your
environment and requirements.
kind regards,
risto
2013/6/2 termo meter <termo_me...@yahoo.com>
Hi All,
I'm new to SEC and i want to ask a few question.
I have setup a syslog server to collect/received logs from security devices
such as firewall and ids. The logs format in text file. My question is, how i
can use SEC as a correlation engine.
1) Can SEC receive input directly from the security devices using syslog format.
2) Can I have the output result in a text file.
3) Can I forward the output result to other syslog server.
Thanks.
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
