maltrail icon indicating copy to clipboard operation
maltrail copied to clipboard
verified publisher icon stamparm

syslog

Open birka1 opened this issue 9 years ago • 15 comments

hi is there away to send the threat logs also to syslog (SIEM)?

birka1 avatar May 03 '16 11:05 birka1

Currently not, but I would like to know the syslog format you (or other users) would like to support?

stamparm avatar May 03 '16 12:05 stamparm

CEF (Common Event Format) would be best. It is one of the more common standards and is supported by almost all SIEMs or log aggregation tools including Splunk, ArcSight, LogRhythm and IBM QRadar.

http://www.iwebdev.it/blog/?tag=common-event-format https://www.protect724.hpe.com/docs/DOC-1072

xECK29x avatar May 03 '16 13:05 xECK29x

agree with xECK29x

by the way there is newletter or something like that ? how we inform about new version or new features?

birka1 avatar May 03 '16 13:05 birka1

we appreciate to have it as splunk app

jjjan avatar May 04 '16 01:05 jjjan

@xECK29x so, something like this would suffice?

Mar 16 16:43:10 sensor1 CEF:0|maltrail|sensor|0.10.115|2016-05-10|known attacker|10|src=10.0.0.192 spt=1234 dst=12.121.122.82 dpt=4123 proto=TCP

stamparm avatar May 10 '16 08:05 stamparm

@stamparm That looks great!

xECK29x avatar May 10 '16 13:05 xECK29x

that's great with nice dashboard

jjjan avatar May 11 '16 12:05 jjjan

Basic implementation is done. Now you'll find inside the maltrail.conf the following NEW option:

# Remote address to send syslog entries
#SYSLOG_SERVER 192.168.2.107:514

Just uncomment it (SYSLOG_SERVER) and write your own SYSLOG server address:port.

Current known limitations is that Severity is put to 0 as the column severity inside the Maltrail's web client is calculating it inside (JS logic). If there will be a need to transfer that same "logic" I'll do it here too.

Also, I am not sure whether trail and reference columns are also needed inside the SYSLOG message.

stamparm avatar May 11 '16 14:05 stamparm

This looks great! I would say it's safe to over-log items and include the trail and reference fields and let the user decide what to strip out or create extracted fields for in their system of use. Can't wait to use this with Splunk!

xECK29x avatar May 11 '16 15:05 xECK29x

@xECK29x with the latest revision both trail and reference are included too

stamparm avatar May 16 '16 14:05 stamparm

Fantastic!

xECK29x avatar May 16 '16 14:05 xECK29x

Great! works like a charm thanks

birka1 avatar May 29 '16 13:05 birka1

first of all thanks for useful project. after so long time we need structure log like the user @jjjan said or make splunk app. we need all output like severity. good luck

dpicollege avatar Aug 07 '16 23:08 dpicollege

stamparm, If you are implementing severity for syslog messages, please send that data via LOG_SERVER option too. If needed, it can be made configurable. Our SIEM is happy with the RAW log format as it is just CSV with space as delimiter and double quotes to include fields with spaces. Also this format requires less space as column names are fixed and not transported with each message.

dbinoj avatar Nov 04 '16 11:11 dbinoj

Hi i tried commention the SYSLOG in maltrail conf and allow the port both on the maltrail server going to the syslog server(graylog) tried both CEF UDP and SYSLOG UDP but logserver still not able to receive anything, the port on the maltrail isnt even listening. Can anyone help please? Do i need to install rsyslog for this purpose?

netsysadm avatar Oct 23 '20 21:10 netsysadm