• Support
  • Forums
  • Blogs

Forward Logs from CentOS rSyslog server to OSSIM?

dustin.davisdustin.davis

New Life Form
I could absolutely be approaching this the wrong way.

I have a
syslog server that is reeving syslog data from other devices on the
network. I need to forward these logs to OSSIM for inspection. I have
the forwarding setup correctly on the syslog server side, I can verify
this by watching a tcpdump from the syslog server, I see 514/UDP being
transmitted to OSSIM, and a tcpdump from OSSIM sees the same.

My
question probably is simply scoped like this: do I need to add a plugin
at the asset level for this work? There's no "Vendor" for "CentOS" but
there IS one for "Red Hat", but there's also one for "Linux" and
"syslog". THe logs that will be forwarded from this server includes
firewall logs, critical server logs, etc. SO there's many different logs
to be parsing.

I added the "Syslog" plugin just for testing but it says "Receiving Data: No". Any help would be great. Thanks!

Share post:

Answers

  • UPDATE:

    I got syslog working reliably, but a new question has arisen.



    Untitled Diagram(2)
  • Essentially, I'm seeing that ALL logs are being forwarded successfully to the OSSIM server - i can jailbreak and grep through the file contain all of this forwarded data and verify. But OSSIM isn't verifying that these applications are "Receiving Data".
  • I'm seeing syslog events come through with the source being the actual source of the syslog entry (the device that actually sent the initial syslog to syslog.contoso.local). How do I get OSSIM to parse these events as the correct type?

    OSSIMmore
  • dustin.davis,

    You have two problems with your configuration.

    First, you need the syslog server to do a blind relay. If the syslog server rewrites the syslog line to include it's own hostname or address, the log will be attributed to the syslog server itself and not the original asset. Once that is resolved, attribution and correlation will work correctly.

    second, you will need to enable to correct plugins for the log types you are reviewing. the syslog plugin is for the syslog service itself, not all syslog messages. See the link b elow for information on plugin management:

  • Thanks for your reply kcoe.


    First, you need the syslog server to do a blind relay.

    My current setup:

    syslog.contoso.local - /etc/rsyslog.conf contains this line:

    *.* @192.168.1.100:514

    whereas the IP address 192.168.1.100 is ossim.contoso.local - ossim.contoso.local is accepting syslog over UDP. Is this not a blind relay? Does this need to be done in RainerScript, not old-school syslog?

    second, you will need to enable to correct plugins for the log types you are reviewing

    So I need to enable plugins for each asset that is sending logs. syslog.contso.local will have the syslog plugin, but as logs come in and AlienVault sees a new asset from those addresses in the blind forwarded logs, add the plugins there?
Sign In or Register to comment.