Sunday, September 16, 2012

OSSIM hands-on 4: Collecting syslog data from a Linux system

This is the fourth of a series of hands-on exercises that are intent to help OSSIM users to configure their system In this post we will cover how to collect syslog data from a Linux system (10.0.0.80), using syslog filters, enabling files rotation and activating ssh plugin.

1.- Connect to the source Linux system and configure syslog forwarding to sensor (10.0.0.31)

a) edit /etc/rsyslog.conf and see $IncludeConfig variable
b) create a new file named /etc/rsyslog.d/alienvault.conf with the following rule:
*.* @10.0.0.31
c) restart rsyslogd

2.- Connect to sensor (10.0.0.31) and test that we are actually receiving syslog data

a) Run a tcpdump to monitor incoming traffic through syslog port (udp 514)
- generate authentication logs at the source system so new evens are forwarded through syslog
b) See /var/log/syslog file to check if the remote data is also written there.

3.- Configure rsyslog rules manage remote incoming data

a) create a new file named /etc/rsyslog.d/10.0.0.80.conf (that is the source system ip address)
b) add new rules to 10.0.0.80.conf file:
if ($fromhost == '10.0.0.80') and ($rawmsg contains 'ssh') then -/var/log/ossim/ssh.log
if ($fromhost == '10.0.0.80') then ~
c) add comments (using #) explaining what are those rules supposed to do
d) restart rsyslogd

4.- Configure ssh plugin to read /var/log/ossim/ssh.log and restart ossim-agent

5.- Check that ssh logs at source Linux box are being parsed and processed by the siem

6.- Configure log file rotation

a) edit /etc/logrotate.d/rsyslog and include new file (/var/log/ossim/ssh.log)
b) force logrotation (logrotate -f /etc/logrotate.d/rsyslog)
c) check that new syslog file has rotated and that ossim-agent process is reading the new file (generate new events if needed)

7.- Rsyslog debugging

a) create file /etc/rsyslog.d/debug.conf with the following content:
*.* /var/log/all.log;RSYSLOG_DebugFormat (this will apply the template RSYSLOG_DebugFormat to incoming messages)
b) restart rsyslog
c) check /var/log/all.log file and see existing properties to identify variables that can be used for filtering
d) disable debugging 
mv /etc/rsyslog.d/debug.conf /etc/rsyslog.d/debug.conf.disabled
restart rsyslog

8.- Add a new filtering rule to write sensor ssh logs into /var/log/ossim/ssh.log too

a) create a file named /etc/rsyslog.d/10.0.0.31.conf
b) use necessary properties to create a new rule
c) don't use a discard rule (~) in this case, so rest of local logs can be written to their files.

9.- Collected logs at the SIEM GUI



References

http://alienvault.com
http://communities.alienvault.com

1 comment:

  1. In this blog is very interesting, Truely you provide the information is well said and the explanation way is very clearly to easily understanding for readers. Keep continuously the good work and I am waiting for your valuable details.
    Corporate Training in Chennai
    Corporate Training institute in Chennai
    Embedded System Course Chennai
    Unix Training in Chennai
    Excel Training in Chennai
    Tableau Training in Chennai
    Corporate Training in Chennai
    Corporate Training institute in Chennai

    ReplyDelete