Logging for integration to SIEM

From reswob: Here is the first draft of a json that I can think of:

This will be the alert when a rogue is found and after all subroutines have been run. Any fields where the subroutines couldn't get the info should be either blank or have null:

{"r2d2" : { "senser" : "pi1", "subnet" : "1.1.1.0", "mac" : "", "dhcp-host":"", "IP":"", "Alive": "yes/no", "@timestamp":"<time of discovery", "Found_before":"yes/no", "Lease":"", "Vendor":"", "OS":[ "<OS guess #1>", "<OS guess #2>", ....], "Host_Access":"yes/no", "Agents" : [ "HBSS","Symantec AV", "Tanium", ...], "Open_Ports": ["22","80","443"] } }

A basic alert could be sent when the rogue is found, but before the subroutines run:

{"r2d2" : { "senser" : "pi1", "subnet" : "1.1.1.0", "mac" : "", "dhcp-host":"", "IP":"", "@timestamp":"<time of discovery", "Found_before":"yes/no", "Lease":"", "Vendor":"" } }

Also, the sensor should send a status notification periodically.

{"r2d2" : { "senser" : "pi1", "subnet" : "1.1.1.0", "version" : "###", "@timestamp":"", "plugins":["plugin1","plugin2"....] (I know you don't have plugins, but forward thinking here), "level":"<could be one of linux seven, INFO, DEBUG, CRITICAL, ERROR, etc. Would use INFO for saying everything is OK>", "message":"what ever is needed for basic information. Details could remain on sensor" }

We will have to watch the size. UDP syslog is limited 1024 bytes.

The json would form the message part of the syslog.

ericmccullough / r2d2

Logging for integration to SIEM #26