search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.2k stars 21.36k forks source link

Using the same server to forward syslog and CEF messages #64909

Closed mikeelliottuk closed 3 years ago

mikeelliottuk commented 3 years ago

Hi, Could this documentation please be enhanced to describe how to configure the server to forward both syslog and CEF message?

Many thanks.

Mike

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

MarileeTurscak-MSFT commented 3 years ago

@mikeelliottuk Thanks for your feedback! We will investigate and update as appropriate.

happy-jo commented 3 years ago

Hi,

I'd like to build on this a little or ask for help.

Page in question

I'm trying to send CEF and ASA messages to the CommonSecurityEvent and syslog messages to the Syslog table. I created the below rule based on the information provided but I'm still having trouble.

if ($rawmsg contains "CEF:" or $rawmsg contains "ASA-") then { @127.0.0.1:25226 } else { @127.0.0.1:25224 }

Currently the syslog message make it into the table but the CEF do not.

mikeelliottuk commented 3 years ago

Hi,

I'd like to build on this a little or ask for help.

Page in question

I'm trying to send CEF and ASA messages to the CommonSecurityEvent and syslog messages to the Syslog table. I created the below rule based on the information provided but I'm still having trouble.

if ($rawmsg contains "CEF:" or $rawmsg contains "ASA-") then { @127.0.0.1:25226 } else { @127.0.0.1:25224 }

Currently the syslog message make it into the table but the CEF do not.

Hi there. Might be better to post this question on the Technet Forum here https://techcommunity.microsoft.com/t5/azure-sentinel/bd-p/AzureSentinel

DataGuys commented 3 years ago

I to am having this challenge, I can onboard to the LAW with the OMSagent on the Linux syslog-ng forwarder and after basic configuration I am able to get syslog data to ingest into the Syslog connector in Azure Sentinel. Once I install the CEF part of the solution I loose connectivity to Syslog and CEF starts working. I have been trying for days to get both to work on the same box but I am unable to make it send both CEF on TCP and Syslog on UDP and have it make it to Sentinel. I can tail the omsagent.log and see traffic for CEF but or Syslog depending on which step in the install process I am on. The docs all state the fact that Syslog and CEF are possible but I am not getting it to work. Please update the documentation to deep dive into getting both running on the same box.

batamig commented 3 years ago

Hi all - thank you for sending your feedback on this article!

We're currently taking a fresh look at our connector docs, and we're going to check back with the team about all your comments. We'll update or clarify the docs as needed in a coming release.

I'm going to close this issue for now, but feel free to add more comments if you have additional input. We value your contributions to Microsoft docs!

please-close

DataGuys commented 3 years ago

Actually got this working with Splunk and Syslog/CEF going to dual locations from the same Syslog-NG server. The key is to let the OMS agent take over the Syslog-NG.Conf file and adjust your Splunk to work with what changes the OMS agent wants.

DataGuys commented 3 years ago

@version:3.5 @include "/etc/syslog-ng/conf.d/*.conf"

####################################################

Basic Global Options

####################################################

Note: it also sources additional configuration files (*.conf) located in /etc/syslog-ng/conf.d/

options { use_dns(yes); use_fqdn(yes); dns_cache(yes); keep_hostname(yes); chain_hostnames(off); log_fifo_size(100000); flush_lines (100); stats_freq (1000); keep_timestamp(no); };

####################################################

Define sources

####################################################

source s_sys { system(); internal(); };

Setup for Microsoft agent

source s_src { udp( port(514)); tcp( port(514));};

F5 needs a TCP port to check the health.

No longer need this now that the MS agent is forcing a tcp port 514.

source s_remote_lb_health_check {

tcp(port(514) so_rcvbuf(67108864) log_fetch_limit(50));

};

The MS agent kept wanting to utilize 514/udp so this is now being utilized by s_src

source s_remote_logs_unix {

udp(port(514) so_rcvbuf(67108864) log_fetch_limit(50));

};

source s_remote_logs_networking { udp(port(1514) so_rcvbuf(67108864) log_fetch_limit(50)); };

source s_remote_logs_security { udp(port(2514) so_rcvbuf(67108864) log_fetch_limit(50)); };

source s_remote_logs_windows { udp(port(3514) so_rcvbuf(67108864) log_fetch_limit(50) flags(no-multi-line)); };

source s_remote_logs_sso { udp(port(4514) so_rcvbuf(67108864) log_fetch_limit(50)); };

source s_remote_logs_ois { udp(port(5514) so_rcvbuf(67108864) log_fetch_limit(50)); };

source s_remote_logs_proxy { tcp(port(6514) so_rcvbuf(67108864) log_fetch_limit(50)); };

source s_remote_logs_cloud { udp(port(7514) so_rcvbuf(67108864) log_fetch_limit(50)); };

source s_remote_logs_app { udp(port(8514) so_rcvbuf(67108864) log_fetch_limit(50) flags(no-multi-line)); };

source s_remote_logs_sso_app { udp(port(9514) so_rcvbuf(67108864) log_fetch_limit(50)); };

####################################################

Define destinations

####################################################

destination d_cons { file("/dev/console"); }; destination d_mesg { file("/var/log/messages"); }; destination d_auth { file("/var/log/secure"); }; destination d_mail { file("/var/log/maillog" flush_lines(10)); }; destination d_spol { file("/var/log/spooler"); }; destination d_boot { file("/var/log/boot.log"); }; destination d_cron { file("/var/log/cron"); }; destination d_kern { file("/var/log/kern"); }; destination d_mlal { usertty("*"); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 destination

destination d_5e5246d7-26c2-427b-b9da-677621396295_oms { udp("127.0.0.1" port(25224)); };

destination d_hosts_unix { file("/logs/unix/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_networking { file("/logs/networking/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_firewall { file("/logs/networking/cisco/firewalls/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_router { file("/logs/networking/cisco/routers/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_switch { file("/logs/networking/cisco/switches/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_wireless { file("/logs/networking/cisco/wireless/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_juniper_wbi { file("/logs/networking/juniper/wbi/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_f5 { file("/logs/networking/f5/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_palo { file("/logs/networking/palo/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_dhcp { file("/logs/networking/dhcp/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_nat { file("/logs/networking/nat/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_networking_misc { file("/logs/networking/misc/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_dns { file("/logs/networking/dns/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_proxy { file("/logs/networking/proxy/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_security { file("/logs/security/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_security_misc { file("/logs/security/misc/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_ips_alerts { file("/logs/security/cisco/ips/alerts/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_ips_os { file("/logs/security/cisco/ips/os/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_amp { file("/logs/security/cisco/amp/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_acs { file("/logs/security/cisco/acs/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cisco_ise { file("/logs/security/cisco/ise/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_symantec_dlp { file("/logs/security/symantec/dlp/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_thycotic { file("/logs/security/thycotic/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_windows { file("/logs/windows/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_windows_splunk { file("/logs/windows/splunk/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_sso { file("/logs/sso/$(lowercase $HOST)/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_ois { file("/logs/ois/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_cloud { file("/logs/cloud/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_junk { file("/logs/junk/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

destination d_hosts_app { file("/logs/app/$YEAR-$MONTH-$DAY-sys01.log" dir_owner(root) dir_group(root) dir_perm(0777) owner(root) group(root) perm(0664) create_dirs(yes)); };

LDAP lookup script for the network segmentation Palo

destination d_ldap_lookup { program("/logs/bin/ldap_lookup.py" flush_lines(1) ); };

Production Palo float IP for Windows events

destination d_palo_float { udp("10.13.3.48" port(514) spoof_source(no) ); };

destination d_palo_float2 { udp("10.13.3.48" port(514) spoof_source(yes) ); };

Production Palo float IP for SSH events (separate interface on the Palo for different regex logs)

destination d_palo_ssh_vip { udp("10.13.3.61" port(514) spoof_source(no) ); };

destination d_palo_lab_float { udp("10.18.0.18" port(514) spoof_source(no) ); };

destination d_palo_lab_float2 { udp("10.18.0.18" port(514) spoof_source(yes) ); };

destination d_mom { udp("10.19.149.54" port(514) spoof_source(yes) ); };

destination d_networking_akips { udp("10.124.44.4" port(514) spoof_source(yes) ); };

destination d_zuniga { udp("eecsyslog.demo.contso.com" port(514) spoof_source(yes) ); };

Domain controller logs going to WAN-ISE

destination d_ise_wan { udp("10.120.53.32" port(40514) spoof_source(yes) template("<$PRI>${ISODATE} syslog02.unx.contso.com ${MESSAGE}\n") ); };

Send AMP logs to zsyslog.zsp.contso.com

destination d_zsyslog { udp("149.173.75.20" port(10514) ); };

####################################################

Define filters

####################################################

ASA

filter f_cisco_firewall { (host("^[Ff][0-9][0-9]") and match("\%ASA-") ); };

ASA NAT

filter f_networking_nat { (match("\%ASA-4-30501[1-2]") or match("\%ASA-6-30501[1-2]") or match("\%ASA-6-30202[0-1]") or match("\%ASA-6-30201[3-6]") ); };

Splunk Windows forwarding

filter f_windows_not_splunk { ( not host("^gisforwarder.*") ); };

Specific auth logs to the Palo

filter f_windows_splunk_palo { ( host("^gisforwarder.*") and match("EventCode=4624") or match("EventCode=4768") and not match("Keywords=Audit Failure") ); };

Routers

filter f_cisco_router { (host("^[Rr][0-9][0-9][a-z]") or host("^[Vv][0-9][0-9][a-z]") ); };

Switches

filter f_cisco_switch { (host("^[Bb][0-9][0-9][a-z]") or host("^[Dd][0-9][0-9][a-z]") or host("^[Hh][0-9][0-9][a-z]")); };

Wireless Controllers

filter f_cisco_wireless { (host("^[Ww][Ll][0-9][a-z]") or host("^[Ww][Cc][0-9][a-z]")); };

Palo

filter f_palo { (host("^[Ff]15xx") or host("f03xxxxrdm36nc0" flags(ignore-case)) or host("f03xxxxdfi56nc0" flags(ignore-case)) or host("^[Pp]anorama") or host("^[Ll]aborama") or host("^[Ff][0-9][0-9]") or host(".*-contso-networking-fw-vm[1-9]") and not match("\%ASA-") ); };

Juniper WBI

filter f_juniper_wbi { (match("PulseSecure:") ); };

F5

filter f_f5 { (host("^[Ll][0-9][0-9][a-x]") or host("^l072146")); };

WAF

filter f_waf_out { not host("^l072146rvirnc0"); };

DHCP

filter f_dhcp { (host("^dns[1-9].*") and message("DHCPREQUEST") or message("BOOTREQUEST") ); };

DNS

filter f_dns_query { (match("named") and match("query:") or host("^dns") and match("named") ); };

DNS/DHCP OS

filter f_dns_dhcp_os { (host("^dns[1-9]") and facility(auth, authpriv) and not message("_pam_init_handlers: no default") ); };

DNS/DHCP Trash

filter f_dns_dhcp_trash { (host("^dns[1-9]") ); };

Cisco IPS Alerts

filter f_cisco_ips_alerts { (match("SFIMS:") or match("sourcefire:") ); };

Cisco IPS OS

filter f_cisco_ips_os { (match("\[ips_os\]") or match("\[sourcefire\]") ); };

ACS

filter f_ciscoacs { (program("CSCOacs") ); };

ISE

filter f_ciscoise { (program("CISE") ); };

DLP

filter f_symantec_dlp { (host("gisdlpenforcement") ); };

Thycotic

filter f_thycotic { (host("thycoticp0[1-9]") ); };

MERC Exchange logs

filter f_email { host("mercmbx"); or host("merccas"); };

Filter networking equipment that sends to 514/udp to the correct directory

filter f_networking_names { (host(".*.net.contso.com") or host("^[Ff][0-9][0-9]") or host("^[Bb][0-9][0-9]") or host("^[Hh][0-9][0-9]") or host("^[Rr][0-9][0-9]") or host("^[Vv][0-9][0-9]") or host("wbi.contso.com") ); };

AKIPS

filter f_networking_akips { (not host("^[Ff][0-9][0-9]") and host("^[Bb][0-9][0-9]") or host("^[Hh][0-9][0-9]") or host("^[Rr][0-9][0-9]") or host("^[Vv][0-9][0-9]") ); };

Send authentication logs to Palo

filter f_palo_auth { (match("EventID:4624") or match("EventID:4768") and not match ("Keyword:0x6") ); };

Send logs to Python script for ACS samAccountName lookup

filter f_ldap_lookup { (match("RADIUS Accounting start") and match("@contso.com" flags(ignore-case)) or match("@jmp.com" flags(ignore-case)) and not match ("NetworkDeviceName=wbi.contso.com") ); };

Send UNIX SSH logs to Palo

filter f_palo_unix { (host("lnx..unx.contso.com") or host("rh6lgn.") or host("dcfwlgn.*") and match("Accepted") and not match("for root|nagios|dfxrnd") ); };

Send Python formatted samAccountName to the Palos

filter f_netseg { (match("ACS,") ); };

Send logs from Juniper device to Daniel Zuniga

filter f_zuniga { (host("vep.contso.com") ); };

General trash filter

filter f_trash { (match("Deprecated pam_stack module") or match("password changed in future") or match("exphostd") or host("mom.unx.contso.com") and match("xxx") or host(".esx[0-9][0-9].") and match("Vpxa:|Hostd:") ); };

OpenDNS trash filter

filter f_opendns_trash { (match("query:") and match(".opendns.com") ); };

Local Filters

filter f_syslconn { match("Syslog connection" value("MESSAGE")); };

filter f_amp { match("Fireamp:"); }; filter f_zeus_amp { (match("Fireamp:") and match ("zsp.\contso.com") ); }; filter f_kernel { facility(kern); }; filter f_default { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron) or filter(f_amp) or filter(f_syslconn)); }; filter f_auth { facility(authpriv); }; filter f_mail { facility(mail); }; filter f_emergency { level(emerg); }; filter f_news { facility(uucp) or (facility(news) and level(crit..emerg)); }; filter f_boot { facility(local7); }; filter f_cron { facility(cron); };

####################################################

Define log statements

####################################################

Default Logs

log { source(s_sys); filter(f_amp); destination(d_hosts_cisco_amp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); }; log { source(s_sys); filter(f_zeus_amp); destination(d_zsyslog); }; log { source(s_sys); filter(f_netseg); destination(d_palo_float); destination(d_palo_lab_float); destination(d_junk); };

log { source(s_sys); filter(f_kernel); destination(d_cons); };

log { source(s_sys); filter(f_kernel); destination(d_kern); }; log { source(s_sys); filter(f_default); destination(d_mesg); }; log { source(s_sys); filter(f_auth); destination(d_auth); }; log { source(s_sys); filter(f_mail); destination(d_mail); }; log { source(s_sys); filter(f_emergency); destination(d_mlal); }; log { source(s_sys); filter(f_news); destination(d_spol); }; log { source(s_sys); filter(f_boot); destination(d_boot); }; log { source(s_sys); filter(f_cron); destination(d_cron); };

Run OpenDNS trash filter first so it doesn't go into the DNS logs

log { source(s_remote_logs_networking); filter(f_opendns_trash); flags(final); };

Run DNS & DHCP filter so it goes to the correct folder before the trash filter

log { source(s_src); filter(f_dns_query); destination(d_hosts_dns); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_remote_logs_networking); filter(f_dns_query); destination(d_hosts_dns); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_dhcp); destination(d_hosts_dhcp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_remote_logs_networking); filter(f_dhcp); destination(d_hosts_dhcp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_dns_dhcp_os); destination(d_hosts_unix); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_remote_logs_networking); filter(f_dns_dhcp_os); destination(d_hosts_unix); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

Run all trash filters before other rules

log { source(s_src); filter(f_dns_dhcp_trash); destination(d_junk); flags(final); }; log { source(s_src); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_networking); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_security); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_windows); filter(f_trash); destination(d_junk); flags(final); }; log { source(s_remote_logs_sso); filter(f_trash); destination(d_junk); flags(final); };

Forward logs to akips

log { source(s_remote_logs_networking); filter(f_networking_akips); destination(d_networking_akips); }; log { source(s_src); filter(f_networking_akips); destination(d_networking_akips); };

Send logs to Palo

log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_float); }; log { source(s_remote_logs_security); filter(f_palo_auth); destination(d_palo_float); }; log { source(s_src); filter(f_palo_unix); destination(d_palo_ssh_vip); }; log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_lab_float); }; log { source(s_remote_logs_security); filter(f_palo_auth); destination(d_palo_lab_float); }; log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_float2); }; log { source(s_remote_logs_windows); filter(f_windows_splunk_palo); destination(d_palo_lab_float2); };

Send logs to Python script

log { source(s_remote_logs_security); filter(f_ldap_lookup); destination(d_ldap_lookup); };

Send logs to Daniel Zuniga

log { source(s_remote_logs_networking); filter(f_zuniga); destination(d_zuniga); }; log { source(s_src); filter(f_zuniga); destination(d_zuniga); };

Send Logs to WAN-ISE

log { source(s_remote_logs_windows); destination(d_ise_wan); };

Remote Networking NAT Logs

log { source(s_remote_logs_networking); filter(f_networking_nat); destination(d_hosts_nat); flags(final); };

Remote Networking Logs

log { source(s_remote_logs_networking); filter(f_cisco_firewall); destination(d_hosts_cisco_firewall); destination(oms_destination); flags(final); }; log { source(s_src); filter(f_cisco_firewall); destination(d_hosts_cisco_firewall); destination(oms_destination); flags(final); };

log { source(s_remote_logs_networking); filter(f_cisco_router); destination(d_hosts_cisco_router); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_router); destination(d_hosts_cisco_router); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_networking); filter(f_cisco_switch); destination(d_hosts_cisco_switch); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_switch); destination(d_hosts_cisco_switch); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_networking); filter(f_cisco_wireless); destination(d_hosts_cisco_wireless); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_wireless); destination(d_hosts_cisco_wireless); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_networking); filter(f_juniper_wbi); destination(d_hosts_juniper_wbi); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_juniper_wbi); destination(d_hosts_juniper_wbi); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_networking); filter(f_f5); destination(d_hosts_f5); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_f5); destination(d_hosts_f5); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_networking); filter(f_palo); destination(d_hosts_palo); flags(final); }; log { source(s_src); filter(f_palo); destination(d_hosts_palo); flags(final); };

log { source(s_remote_logs_networking); destination(d_hosts_networking_misc); flags(final); }; log { source(s_src); filter(f_networking_names); destination(d_hosts_networking_misc); flags(final); };

Remote SSO Logs - Migrating to Splunk/Sentinel no reason for these to be here anymore, simplying the config for old configs

log { source(s_remote_logs_sso); destination(d_hosts_sso); flags(final); }; log { source(s_remote_logs_sso_app); destination(d_hosts_sso); flags(final); };

Remote Security Logs

log { source(s_remote_logs_security); filter(f_cisco_ips_alerts); destination(d_hosts_cisco_ips_alerts); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_ips_alerts); destination(d_hosts_cisco_ips_alerts); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_security); filter(f_cisco_ips_os); destination(d_hosts_cisco_ips_os); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); }; log { source(s_src); filter(f_cisco_ips_os); destination(d_hosts_cisco_ips_os); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_security); filter(f_cisco_acs); destination(d_hosts_cisco_acs); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_security); filter(f_cisco_ise); destination(d_hosts_cisco_ise); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_security); filter(f_symantec_dlp); destination(d_hosts_symantec_dlp); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); flags(final); };

log { source(s_remote_logs_security); filter(f_thycotic); destination(d_hosts_thycotic); destination(oms_destination); flags(final); };

log { source(s_remote_logs_security); destination(d_hosts_security_misc); flags(final); };

Remote Proxy Logs

log { source(s_remote_logs_proxy); destination(d_hosts_proxy); flags(final); };

Remote UNIX Logs

log { source(s_src); destination(d_hosts_unix); flags(final); };

Remote Windows Logs

log { source(s_remote_logs_windows); filter(f_windows_not_splunk); destination(d_hosts_windows); flags(final); }; log { source(s_remote_logs_windows); destination(d_hosts_windows_splunk); flags(final); };

Remote Cloud Logs

log { source(s_remote_logs_cloud); destination(d_hosts_cloud); flags(final); };

Remote OIS Logs

log { source(s_remote_logs_ois); destination(d_hosts_ois); flags(final); };

Remote App Logs

log { source(s_remote_logs_app); destination(d_hosts_app); flags(final); };

I have to define a log source to make 514/tcp listen

No longer need this now the s_src is being utilized above.

log { source(s_remote_lb_health_check); destination(d_junk); flags(final); };

OMS Syslog default collection for workspace 5e5246d7-26c2-427b-b9da-677621396295

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = auth

filter f_auth_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,debug,emerg,err,info,notice,warning) and facility(auth); }; log { source(s_sys); filter(f_auth_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = authpriv

filter f_authpriv_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,debug,emerg,err,info,notice,warning) and facility(authpriv); }; log { source(s_sys); filter(f_authpriv_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = cron

filter f_cron_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(cron); }; log { source(s_sys); filter(f_cron_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = daemon

filter f_daemon_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(daemon); }; log { source(s_sys); filter(f_daemon_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = kern

filter f_kern_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(kern); }; log { source(s_sys); filter(f_kern_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local0

filter f_local0_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local0); }; log { source(s_sys); filter(f_local0_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local2

filter f_local2_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local2); }; log { source(s_sys); filter(f_local2_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local3

filter f_local3_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local3); }; log { source(s_sys); filter(f_local3_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local4

filter f_local4_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local4); }; log { source(s_sys); filter(f_local4_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local5

filter f_local5_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local5); }; log { source(s_sys); filter(f_local5_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local6

filter f_local6_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local6); }; log { source(s_sys); filter(f_local6_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = local7

filter f_local7_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(local7); }; log { source(s_sys); filter(f_local7_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = syslog

filter f_syslog_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(syslog); }; log { source(s_sys); filter(f_syslog_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

OMS Workspace 5e5246d7-26c2-427b-b9da-677621396295 Facility = user

filter f_user_5e5246d7-26c2-427b-b9da-677621396295_oms { level(alert,crit,emerg,err,warning) and facility(user); }; log { source(s_sys); filter(f_user_5e5246d7-26c2-427b-b9da-677621396295_oms); destination(d_5e5246d7-26c2-427b-b9da-677621396295_oms); };

Source additional configuration files (.conf extension only)

@include "/etc/syslog-ng/conf.d/*.conf"

vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: