Firewall Logs over Syslog

[arun81]

Hi

Thanks for this project ...

Can you please explain to configure DSIEM for accepting traffic from Firewall Devices over Syslog 514 ( Cisco ASA / Fortinet / Palo Alto / Checkpoint ) .

Thanks

[isnuryusuf]

i think you just enable rsyslog to accept syslog facility from external machine

$ vim /etc/rsyslog.conf

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

uncomment protocol you want to use for accepting syslog (TCP/UDP) and restart rsyslog services

on the client (asume you use Linux) edit same file and add something like

FORMAT:
SEVERITY[dot]FACILITY[SPACE/TAB]LOG-Destination

*.* @@ip-syslog-server  (for tcp)
or
*.* @ip-syslog-server (for UDP)

and restart your rsyslog services

test trigger using : logger -p debug "your message"

for cisco ASA/Forti/Palo Alto/CP please refer to official documentation

[mmta]

What @isnuryusuf said is correct.

Basically you have to ingest your logs to Elasticsearch first before using Dsiem.

To do that initial ingestion, you can forward your logs to any Syslog server, then use Filebeat to push those logs to Logstash then Elasticsearch. Alternatively, you can also push the logs directly to Logstash syslog input plugin.

Once you have the logs in Elasticsearch, you can then use dpluger command to auto-generate the necessary Logstash config files to normalize the events and forward them to Dsiem. Refer to this example on how to do this: https://github.com/defenxor/dsiem/blob/master/docs/dsiem_plugin.md#example-1-sid-based-plugin

[arun81]

Sounds Great .... Anyways thanks for you Support ..

Thanks