Closed arun81 closed 5 years ago
i think you just enable rsyslog to accept syslog facility from external machine
$ vim /etc/rsyslog.conf
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
uncomment protocol you want to use for accepting syslog (TCP/UDP) and restart rsyslog services
on the client (asume you use Linux) edit same file and add something like
FORMAT:
SEVERITY[dot]FACILITY[SPACE/TAB]LOG-Destination
*.* @@ip-syslog-server (for tcp)
or
*.* @ip-syslog-server (for UDP)
and restart your rsyslog services
test trigger using : logger -p debug "your message"
for cisco ASA/Forti/Palo Alto/CP please refer to official documentation
What @isnuryusuf said is correct.
Basically you have to ingest your logs to Elasticsearch first before using Dsiem.
To do that initial ingestion, you can forward your logs to any Syslog server, then use Filebeat to push those logs to Logstash then Elasticsearch. Alternatively, you can also push the logs directly to Logstash syslog input plugin.
Once you have the logs in Elasticsearch, you can then use dpluger
command to auto-generate the necessary Logstash config files to normalize the events and forward them to Dsiem. Refer to this example on how to do this: https://github.com/defenxor/dsiem/blob/master/docs/dsiem_plugin.md#example-1-sid-based-plugin
Sounds Great .... Anyways thanks for you Support ..
Thanks
Hi
Thanks for this project ...
Can you please explain to configure DSIEM for accepting traffic from Firewall Devices over Syslog 514 ( Cisco ASA / Fortinet / Palo Alto / Checkpoint ) .
Thanks