hi,
since you are using rsyslog, let me provide few configuration examples how
to pass data to SEC and get it back. Suppose that you have configured all
your network devices to send their events with the local1 facility.
Receiving such events over BSD syslog protocol and writing them to a
separate file for SEC can be done with
$ModLoad imudp
$UDPServerRun 514
local1.* /var/log/secinput.log
For feeding data back to rsyslog, first determine the proper facility and
severity level for messages. Suppose you want to produce syslog messages
from SEC with the facility 'daemon' (code 3) and severity level 'info'
(code 6). You have to encode facility and severity into the priority value
which is calculated as 8*facility+severity. In the case of the above
example, this yields 8*3+6=30. In order to communicate with the local
rsyslog server through the /dev/log socket, you have to write a message
with the following structure to /dev/log:
<priority>timestamp programname: messagetext
However, if the timestamp is missing, rsyslog is able to create it for
your. The following SEC rule provides a simple example how to count "this
is a test" messages and send an event to the local rsyslog server, if three
such events are seen in 60 seconds:
type=singlewiththreshold
ptype=substr
pattern=this is a test
desc=Three tests observed within 1 minute
action=udgram /dev/log <30>sec: %s
thresh=3
window=60
The above example assumes the /dev/log socket is operated in datagram mode
which is normally the case.
Since the program name is set to "sec" to all messages that the 'udgram'
action creates, you can have a filtering rule in rsyslog configuration to
send these events further to a central syslog server:
if $programname == 'sec' then @192.168.1.1
If you also want to save a copy of all SEC messages to a local disk, you
can do it from rsyslog with a similar statement (using the file destination
instead of a remote server).
Finally, note that I've briefly tested all the examples on Ubuntu 12.04
with rsyslog 5.8.6. If you are operating a different platform with more
recent (or older) rsyslog, you might have to change some rsyslog
configuration statements (I'd recommend to post to rsyslog mailing list for
getting detailed information from experienced users).
kind regards,
risto
2013/6/3 termo meter <termo_me...@yahoo.com>
> Dear Sir,
> Thank you for your explanation.
> From what i understand, i can use sec with syslog server in this
> environment:-
> 1) Firewall/IDS using syslog (udp514) forward its logs to remote syslog
> server (rsyslog) and output it in text file. From this output file i can
> use SEC to read from the output file as an input.
> 2) Same goes when i want to pass the output file from SEC to remote syslog
> server. I need to configure the rsyslog to take input from the SEC.
>
> My environment is like this,
> i have two syslog server. One is collecting logs from the security devices
> at remote site ( branch site), and do some filtering or logs
> standardization, before past it to another syslogs server( which i called
> it HQ syslog server, since it will receive from one or more syslog server
> at branches ). So, I want to use SEC at the branch site to do some
> filtering/correlating to avoid bottleneck at HQ syslog server.
>
> Thanks.
>
> --- On *Sun, 2/6/13, Risto Vaarandi <risto.vaara...@gmail.com>* wrote:
>
>
> From: Risto Vaarandi <risto.vaara...@gmail.com>
> Subject: Re: [Simple-evcorr-users] Correlate Syslog logs using SEC
> To: "termo meter" <termo_me...@yahoo.com>
> Cc: simple-evcorr-users@lists.sourceforge.net
> Date: Sunday, 2 June, 2013, 11:07 AM
>
>
> If your questions meant if SEC can act as a syslog server and listen
> directly of port 514/udp or some other widely used syslog port, the answer
> is no, since it accepts input through files and pipes. There are several
> well-designed and efficient syslog servers around (in particular, rsyslog)
> which focus on fast message reception, and more importantly, it is trivial
> to connect SEC to any syslog server. Therefore, implementing a syslog
> server inside SEC would be like reinventing the wheel. For making a
> connection with syslog server, configure it write to all relevant events to
> a file and specify this file to SEC as an input (using the --input option).
> Also, some people have configured SEC to be started by the syslog server,
> where syslog server then feeds SEC through a pipe interface (for example,
> if you are running syslog-ng, you can use the program() destination driver
> for this).
>
> If you one of your questions meant if SEC can act as a client to a remote
> syslog server, the answer is "it depends on the protocol". Since the 2.7.1
> version, you can employ 'udpsock' and 'tcpsock' actions to send custom data
> to tcp and udp remote peers. This allows for talking to remote BSD syslog
> servers with relatively little effort, because it is not very hard to write
> a formatting action for syslog data. However, talking to IETF syslog
> servers over TLS is trickier.
> There is a very simple workaround to this problem, though -- instead of
> talking directly to remote server, you can pass data to the *local* syslog
> server which then handles all communication with any remote syslog servers.
> You can do it with employing external tools like logger, but also with
> SEC's own 'udgram' and 'ustream' actions for making a more efficient direct
> connection to the UNIX socket of the local syslog server. Since you
> mentioned that you would like to store the output also in a file, you could
> do this with the 'write' action.
>
> Hope this information helps. There are several ways of addressing the
> problems you have mentioned, and a lot depends on the more precise
> description of your environment and requirements.
>
> kind regards,
> risto
>
>
>
>
> 2013/6/2 termo meter
> <termo_me...@yahoo.com<http://mc/compose?to=termo_me...@yahoo.com>
> >
>
> Hi All,
>
> I'm new to SEC and i want to ask a few question.
> I have setup a syslog server to collect/received logs from security
> devices such as firewall and ids. The logs format in text file. My question
> is, how i can use SEC as a correlation engine.
> 1) Can SEC receive input directly from the security devices using syslog
> format.
> 2) Can I have the output result in a text file.
> 3) Can I forward the output result to other syslog server.
>
> Thanks.
>
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net<http://mc/compose?to=Simple-evcorr-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
