LME icon indicating copy to clipboard operation
LME copied to clipboard
verified publisher icon cisagov

Research and test Syslog forwarding

Open NVivero opened this issue 9 months ago • 2 comments

Related to this discussion post: https://github.com/cisagov/LME/discussions/553#discussioncomment-12751373

NVivero avatar Apr 08 '25 13:04 NVivero

I have successfully tested this using elastic agent with the following:

Setting up Syslog Forwarding to LME with Elastic Agent TCP Integration

Here's a clear step-by-step summary of the process we followed to set up syslog monitoring in LME:

1. Configure the TCP Integration in Kibana

  • Logged into Kibana on the LME server
  • Went to Fleet → Agent policies → Fleet Server Policy
  • Add Integration - Added the "Custom TCP Logs" integration
  • Configured settings:
  • Listen Address: 0.0.0.0
  • Listen Port: 5140 **WAZUH IS ALREADY TAKING 514 SO I USED THIS FOR NOW. **
  • Dataset Name: tcp.syslog
  • Enabled Syslog Parsing
  • Enabled Preserve Original Event
  • Added appropriate tags (e.g., "syslog")

2. Updated the Container Configuration

  • Modified the LME Fleet Server quadlet to expose the syslog port:

sudo nano /etc/containers/systemd/lme-fleet-server.container

  • Added port 5140 to PublishPort directive:

PublishPort=8220:8220,5140:5140

  • Reloaded systemd and restarted the container:

sudo systemctl daemon-reload sudo systemctl restart lme-fleet-server.service

  • Verified the port was listening:

sudo ss -tulpn | grep 5140

3. Configured Rsyslog to Forward Logs

  • Created a custom rsyslog configuration:

sudo nano /etc/rsyslog.d/60-forward-tcp.conf

  • Added forwarding directive:

*.* @@lme-server-ip:5140 THIS WOULD BE THE IP ADDRESS OF YOUR LME SERVER. ENSURE YOU CAN REACH IT FROM DEVICE

  • Restarted rsyslog:

sudo systemctl restart rsyslog

4. Generated Test Events

  • Created real system events to test the setup:

ssh nonexistentuser@localhost

5. Verified in Kibana

  • Generated fake ssh failures using ssh nonexistentuser@localhost on the endpoint
  • In Kibana, went to Analytics → Discover
  • Click dataview "logs-*"
  • Searched for SSH-related entries using message:("Failed password" OR "invalid user" OR "authentication failure") in the search box
  • Confirmed the failed login attempts were captured

THIS MAY BE THE PART YOU'RE MISSING. DASHBOARDS WILL NEED TO BE CREATED TO VISUALIZE THE DATA

6. Created Visualizations

  • Built a metric visualization for failed login attempts
  • Used search query: message:("Failed password" OR "invalid user" OR "authentication failure")
  • Added the visualization to the dashboard

aarz-snl avatar Apr 15 '25 17:04 aarz-snl

wazuh-manager can receive syslog, which would allow their existing decoders, rules and enrichment to be applied. This would be more useful for syslog data using custom fields, such as Palo Alto and Fortigate.

molenear avatar Jul 29 '25 20:07 molenear