Sending syslog messages from a Linux box to SIEM

Let’s imagine that we need to direct log messages from our Linux box to SIEM solution. For centralized management/backup or correlation purposes. How do we do that?

This article is about SuSE Linux or SLES, but it can be easily customized for other Linux flavors.

First of all, newer Linux distros use syslog-ng or syslog-new-generation. In SLES, we can find configuration files under “/etc/syslog-ng/” folder. Two of them:

syslog-ng.conf.in
syslog-ng.conf

First one, syslog-ng.conf.in is the one we edit directly. We should not edit syslog-ng.conf directly. The changes made to syslog-ng.conf.in get into syslog-ng.conf once we issue the SuSEconfig command. So the process is as follows.

We edit syslog-ng.conf.in file to add these lines:

destination POP-W8 { udp( “10.x.y.124” port(514) ); };
destination SIEM { udp( “10.a.b.67” port(514) ); };

log { source(src); destination(POP-W8); destination(SIEM); };

With first two lines we define our targets. These can be another, non local, syslog server, or some SIEM solution. In this case, first line defines a syslog server installed on our PC, and the second line defines our SIEM solution. This way we can track messages on two places and see if there are any misses. The syntax is:

destination TARGETNAME { udp(“ADDRESS” port(PORT) ); };

I think everything is obvious.

The third line actually directs messages to defined destinations:

log { source(src); destination(POP-W8); destination(SIEM); };

So, what this line says is: log all messages defined by src to all listed targets. The src log source is predefined in SLES and means all local messages.

After we edited our “/etc/syslog-ng/syslog-ng.conf.in” file, we need to execute:

SuSEconfig -module syslog-ng

so these changes get written to “/etc/syslog-ng/syslog-ng.conf“. Finally, we restart the syslog daemon:

/etc/init.d/syslog restart

 

Now we should start receiving messages on our defined targets.

 

Thanks for reading.

 

 

Advertisements
This entry was posted in LINUX, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s