blueteamvillage / DC31-obsidian-sec-eng

MIT License

1 stars 0 forks source link

Feature request - Onboard Syslog logs to Splunk #136

Closed plugxor closed 1 year ago

plugxor commented 1 year ago

Background:

While looking into index=syslog I noticed no logs exist. We need to onboard syslogs from our Linux machine.

Request for us to build

Please onboard syslog logs from the Linux server. Assuming we are running Ubuntu, please onboard anything under /var/log/*

If that is not possible, at a minimum, we need: /var/log/auth.log /var/log/daemon.log

CRITERIA FOR SUCCESS

index=syslog should have data

Note: I did not find sshd, kernel, or package installation events in sysmonlinux. Thus this request

DRIs

@plugxor

juju4 commented 1 year ago

As said in https://github.com/blueteamvillage/sec-eng-infra-ops/issues/95#issuecomment-1509393264, the linux syslog are in index=linux for splunk

plugxor commented 1 year ago

@juju4 Thanks for the comment, I don't see the logs from the log4j server on either Indux=linux or index=sysmonforlinux

We need those server logs unless we have them, but they have a different IP from what the network diagram has.

juju4 commented 1 year ago

correct. filebeat was missing from log4j server. Partially fixed in https://github.com/blueteamvillage/DC31-obsidian-sec-eng/pull/144

Splunk (index=sysmonforlinux OR index=linux OR index=osquery) agent.name=ip-172-16-40-100* | stats count by index,agent.name,agent.type = few events. need to finish validate cribl and splunk

juju4 commented 1 year ago

index=* agent.name=ip-172-16-40-100* index=nginx has logs now

Note that hitting splunk license warnings Licensed daily volume 500 MB Volume used today 4,108 MB (821.513% of quota) Warning count 4

iotplc01 and cribl logs (top volume) were temporarilly turned off. Will restart them in a bit and confirm still ok

juju4 commented 1 year ago

cribl part in

feat: nginx in pipeline+output https://github.com/blueteamvillage/DC31-obsidian-sec-eng/pull/141/commits/c96750d7f9783cdddfb6b9f8d0687802edd7f3d3

juju4 commented 1 year ago

issue with some logs lost index=* agent.name=ip-172-16-40-100* index=nginx has curl request 1, 2,3 and 6 but not 4 and 5 while those commands are in sysmon per index=* curl agent.name=ip-172-16-40-100* | stats count by index,agent.name,agent.type,CommandLine (twice, both index=linux and index=sysmonforlinux)

juju4 commented 1 year ago

moved nginx logs to json for easier parsing https://github.com/blueteamvillage/DC31-obsidian-sec-eng/pull/144/commits/7cf78c7a1ec72cfc9e0a6a29ebb8f6f5cd23bb2c

index=* agent.name=ip-172-16-40-100*  index=nginx
| spath input=message 
| stats count by uri,http_user_agent

juju4 commented 1 year ago

Closing as was delivered for KC execution end of April