So, you have now figure out to enable Syslog over TCP on Alienvault. As it turns out, it’s optional in a sense you can get NXlog to run UDP. But it’s good to know.
Now in general, we don’t mess around with other systems other than Alienvault. But in reality, over so many POCs and deployment, its invariable that we will need to get our hands dirty and figure out with the client what on earth is happening and why don’t we see those dratted logs coming in. In the previous post, we’ve explored the useful tcpdump and the netstat – tulpen commands. But for this one, let’s look at the other side: NXlog and see how we set it up.
First of all, we obviously want to get something going in that windows box. Let’s say for instance, we set up FTP IIS there and we want to shovel all those logs over to AV. Now, I will assume FTP IIS is already up and logging is already done there, else we are going to be stuck talking about all sort of stuff that a million other articles have already explored.
We will jump into NXLog. Install NXLog (again, not going to explore that here), and once its up and running, we have set up the conf as follows
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log
#Where your logs are define IIS_LOGS C:\inetpub\logs\FTPSVC2
<Extension syslog> Module xm_syslog </Extension>
#Define IIS Source <Input IIS> Module im_file File "%IIS_LOGS%\u*" SavePos TRUE #Add in Syslog Fields Exec $SourceName = 'IIS'; Exec $ProcessID = '1'; Exec $MessageID = '2'; #Don't send comments over Exec if $raw_event =~ /^#/ drop(); #csv->parse_csv(); </Input>
#Define Output <Output AV_Syslog> Module om_udp Host <Host of Alienvault> Port 514 OutputType LineBased Exec to_syslog_ietf(); </Output>
#Make something happen <Route IIS> Path IIS => AV_Syslog </Route>
A few things are happening here, but basically you are getting NXLog to look into the specific folder for a file starting with u* and send it via UDP syslog to the Alienvault. Restart the NXLog and see if it works.
You should be seeing something on the tcpdump in Alienvault.
For starters, make sure your logfile is getting logs. Easiest way is to fire up an FTP client and just put or get into your FTP server and see if you see the logs ON THE SERVER first. If it’s there, then its a good start. You should be seeing some traffic hitting your Alienvault via the TCPDump.
Now for Alienvault, I know a lot of documentation out there teaches you to set up rsyslog manually and all, but with the new versions, they have simplified it. What we did was to go to the actual asset on the GUI: Assets and Groups -> Asset IP -> Details -> Plugins
Edit the Plugins and select Syslog
Most of us will go huh? Will this work?
No, it won’t work. Not yet anyway, but once this is done, you get two things:
Back in AV CLI, run
more /etc/ossim/agent/config.yml
The config.yml shows that for that particular device, it’s tied to which log file on the AV. Very useful especially if you have hundreds of logs coming in and you get confused.
/var/log/alienvault/devices
You should see a folder with the IP of the server you have NXLog running on and in that folder, a nice log file, which in turn will have the details of the logs that NXLog is sending over.
The problem now, is that AV doesn’t quite understand this log. Not yet. That’s where plugins come in play. We used the syslog plugin only as a placeholder to create the logfile. The syslog plugin won’t understand it.
Wait till you see a few lines coming into your Alienvault log file from the NXLog.
/var/log/alienvault/agent -> cat agent | grep 4007
What you have done here is to see if syslog plugin (Plugin id is 4007) can see anything coming in. It does, you might see some events like
Apr 2 11:27:25 VirtualUSMAllInOne ossim-agent: Alienvault-Agent[INFO]: Plugin[4007] Reading from /var/log/alienvault/devices/192.168.0.35/192.168.0.35.log Apr 2 12:17:02 VirtualUSMAllInOne ossim-agent: Alienvault-Agent[INFO]: Plugin[4007] Total lines [134] TotalEvents:[134] EPS: [5.80] elapsed [10.01] seconds Apr 2 12:17:12 VirtualUSMAllInOne ossim-agent: Alienvault-Agent[INFO]: Plugin[4007] Total lines [134] TotalEvents:[134] EPS: [0.00] elapsed [10.01] seconds
It basically means Alienvault processed x number of lines as ‘events’. Which you might think is great, but not so.
Back in the GUI SIEM, you can filter the datasource by ‘syslog’ and you will get a bunch of syslogs but with the destination and source host as 0.0.0.0. Basically this means, AV sees stuff coming, it uses syslog plugin to attempt to read the log but couldn’t figure out the IPs within that log due to its format and just sends out this cryptic line. Going into the event itself will give you a clue – the raw logs does state it is an FTP log coming from the FTP server, through NXLog. This means that Alienvault sees the logs, but using the syslog plugin, couldn’t interpret it properly due to its format.
So. You are half way there. The logs are coming in from a windows box through NXLog, and Alienvault sees it, but needs to speak the same language to understand it. Enter custom plugins.
Stay tuned!