search

rsyslog / liblognorm

a fast samples-based log normalization library
http://www.liblognorm.com
GNU Lesser General Public License v2.1
99 stars 64 forks source link

log normalization #316

Open birolemekli opened 5 years ago

birolemekli commented 5 years ago

Hello there. rsyslog my central server windows server audit logs apache logs pfsense logs. I need to normalize them. I have to normalize the web requests ssh logs audit logs and save them to different files. then I will carry out the attack detection by subjecting to correlation. How can liblognorm help me?

davidelang commented 5 years ago

On Thu, 15 Nov 2018, birolemekli wrote:

Hello there. rsyslog my central server windows server audit logs apache logs pfsense logs. I need to normalize them. I have to normalize the web requests ssh logs audit logs and save them to different files. then I will carry out the attack detection by subjecting to correlation. How can liblognorm help me?

You use liblognorm (via the mmnormalize module in rsyslog) to parse the logs to extract the important information into variables (held in a JSON structure in rsyslog). This allows you to eliminate the variation in similar messages (all login messages would produce the same variables, no matter what the original logs looked like)

you can then use those variables in a template to send a standard ('normalized') log to something to keep track of that sort of event.

David Lang

birolemekli commented 5 years ago

I would like to improve myself in the siem area. I collected Windows server, pfsense and web server logs with syslog.

I need to get the log files in the same format.

Windows Server Audit Logs

screenshot

Web Apache Logs

screenshot

Firewall Pfsense Logs

screenshot

Logs are saved in this way. I don't want to record more logs here. The Windows server log is meaningless. I just want to make it simpler. Then I will be able to make corrections and attack detection through these logs. I need your help on this. Can Liblognorm do this?

Can you help me?

davidelang commented 5 years ago

On Sun, 18 Nov 2018, birolemekli wrote:

I would like to improve myself in the siem area. I collected Windows server, pfsense and web server logs with syslog.

I need to get the log files in the same format.

Windows Server Audit Logs

screenshot

Web Apache Logs

screenshot

Firewall Pfsense Logs

screenshot

Logs are saved in this way. I don't want to record more logs here. The Windows server log is meaningless. I just want to make it simpler. Then I will be able to make corrections and attack detection through these logs. I need your help on this. Can Liblognorm do this?

yes

Can you help me?

what sort of help are you looking for?

are you looking to hire someone to do this work for you?

or are you looking for help learning how to configure the tools

David Lang