search

Ylianst / MeshCentral

A complete web-based remote monitoring and management web site. Once setup you can install agents and perform remote desktop session to devices on the local network or over the Internet.
https://meshcentral.com
Apache License 2.0
4.16k stars 559 forks source link

Can the data passed to Syslog be equal to the nornal My Events logs? #5872

Open Andromeda175 opened 7 months ago

Andromeda175 commented 7 months ago

Not all data that appears in the normal "My Events" window appears in syslog.

Specifically:

User Login: MyEvents: Date, Time, User, Account login from 'IP Address', Windows type. Syslog: Date, Time, Account login from 'IP Address', Windows type. (user missing)

User Logout: MyEvents: Date, Time, User, Account Logout Syslog: Date, Time, Account Logout. (user missing)

Connection Event: (desktop/terminal/files) MyEvents: Date, Time, Remote Device Name, Message, including origin IP, and Target IP Syslog: Date, Time, Message, including origin IP, and Target IP. (remote device name missing)

Connection Event: (console) MyEvents: Date, Time, Remote Device Name, Message including origin IP (but not Target IP) Syslog: Date, Time, Message - excluding origin IP and Target IP. (and remote device name missing)

Both the Syslog receiver, syslog parser, and the Syslog to Plain Text convertor is under our direct programming control, and the user or device info, if it existed, would be included in the text under the message field.

I don't know node.js but suspect that the missing data could be added in around line 2202 in meshcentral.js, where the eventlog and syslog handling resides.

I look forward to any help that can be provided. Attached: MyEvents, Syslog plain text output in our SIEM/MSP console, meshcentral screen shot.

My Events Syslog meshcentral

Ylianst commented 7 months ago

Hi. In your config.json, instead of

"syslog": "meshcentral",

Try using:

"syslogjson": "meshcentral"

This will dump the entire MeshCentral event object as JSON into the syslog. You can then decode everything you like. You will probably want this if you have programming control over the system log and want to do your own processing of the events.

Your right that "syslog" alone will just dump the event "msg" into the system log and this will not include a lot of other information that is available from the MeshCentral event object.

This line in the code could be changed to add the data you want:

        if (obj.syslog && event.msg) { obj.syslog.log(obj.syslog.LOG_INFO, event.msg); }

You could change it to something like:

        if (obj.syslog && event.msg) {
          var msg = event.msg;
          if (event.someinfo != null) { msg += ', someinfo:' + event.someinfo; }
          obj.syslog.log(obj.syslog.LOG_INFO, msg);
        }

You could also change the "LOG_INFO" to something else based on the data. I am not super familiar with syslogs, but if you make improvements in this area, I will very happily include them in MeshCentral.

Andromeda175 commented 7 months ago

Hi Ylianst

Thanks for that.

I'm not that familiar with js. Where do I find what properties the EVENT object has?