Hello Farrukh,
Our team was able to report simple Dionaea alerts to Metron using syslog v8 (not encrypted). The source code for our project is here: https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/ More specifically... syslog config files for our honeypots are here: https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForHP-notEnc More specifically... syslog config files for the Metron server are here: https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForServer-notEnc GROK parser pattern used: https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/Dionaea-ManagementUI.png [https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/Dionaea-ManagementUI.png] https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/SampleLogFiles/README.md Nifi setup in Metron Server: https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/nifiDionaeaKafka.png [https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/nifiDionaeaKafka.png] Hope it helps. -Ahmed _______________________________________________________________ Ahmed Shah (PMP, M. Eng.) Cybersecurity Analyst & Developer GCR - Cybersecurity Operations Center Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php> ________________________________ From: Simon Elliston Ball <[email protected]> Sent: October 25, 2017 3:47 AM To: [email protected] Subject: Re: SysLog Parser in Metron Short answer: grok parsers. Longer answer: syslog is more a transport, not just a log format, so it encapsulates a wide variety of data sources. Your best bet is probably to use NiFi to listen for syslog from a remote host (ListenSyslog) and then route each application in the syslog to a different kafka topic. That way you have kafka topics for each type of data you care about eg sshd, login, cups... whatever. From there it’s easiest to use a grok parser in metron to pull out the fields. There are many prebuilt patterns for the common services around on the web. Simon > On 25 Oct 2017, at 05:55, Farrukh Naveed Anjum <[email protected]> > wrote: > > Hi, > > How can I get syslog in metron any help (pattern / parser). Kindly help ? > > -- > With Regards > Farrukh Naveed Anjum
