search

sans-blue-team / DeepBlueCLI

GNU General Public License v3.0
2.19k stars 355 forks source link

Need to Forward Logs of DeepblueCLI to a Syslog Server #30

Closed therajvira closed 2 years ago

therajvira commented 2 years ago

Hello Team,

I want to forward the DeepBlueCLI output into a logfile which can then be sent to a Syslog Server. Is there a way to do it?

Regards

joswr1ght commented 2 years ago

This seems like something Posh-Syslog would help with. The nice thing about DBCLI is that the output is just PowerShell objects, so you can integrate the output with any other PowerShell pipeline tool. I imagine DeepBlue.ps1 | ForEach-Object { Send-SyslogMessage -Server '127.0.0.1' -Message "$_.Message - $_.Results" -Severity 'Alert' -Facility 'local0' } might do the trick!

Give that a shot and feel free to close this once you have some results.

therajvira commented 2 years ago

Hey Joshua,

Thanks a lot, this has worked for us.

Regards

therajvira commented 2 years ago

Hi Team,

Is there any way to forward the DeepBlueCLI logs in a JSON format using Posh-Syslog? This will be really helpful.

Any help would be appreciated.

Regards. Raj Vira.

joswr1ght commented 2 years ago

You have some options.

PowerShell supports ConvertTo-JSON which could be used to take the DBCLI output and convert it to JSON, but then it's a single JSON blob. I don't know if that's what you want, and it might exceed the length limitation for Syslog messages if there are a lot of alerts, but it's straightforward in PowerShell:

PS C:\Users\Sec504\Downloads\DeepBlueCLI> .\DeepBlue.ps1 | ConvertTo-JSON -OutVariable json
[
    {
        "Date":  "\/Date(1655033354955)\/",
        "Log":  "Security",
        "EventID":  4672,
        "Message":  "Multiple admin logons for one account",
        "Results":  "Username: Sec504\nUser SID Access Count: 2",
        "Command":  "",
        "Decoded":  ""
    },
    {
        "Date":  "\/Date(1655033354955)\/",
        "Log":  "Security",
        "EventID":  4672,
        "Message":  "Multiple admin logons for one account",
        "Results":  "Username: Sec504\nUser SID Access Count: 2",
        "Command":  "",
        "Decoded":  ""
    }
]
PS C:\Users\Sec504\Downloads\DeepBlueCLI> Send-SyslogMessage -Server '127.0.0.1' -Facility local0 -severity alert -message $json

Otherwise, you could send each alert as its own JSON blob with a ForEach-Object loop:

PS C:\Users\Sec504\Downloads\DeepBlueCLI> .\DeepBlue.ps1 | ForEach-Object { $_ |COnvertTo-Json -outvariable json ; Send-SyslogMessage -Server '127.0.0.1' -Facility local0 -severity alert -message $json }
{
    "Date":  "\/Date(1655033354955)\/",
    "Log":  "Security",
    "EventID":  1102,
    "Message":  "Audit Log Clear",
    "Results":  "The Audit log was cleared.\nAccount Name:\tSec504",
    "Command":  "",
    "Decoded":  ""
}
{
    "Date":  "\/Date(1655033354955)\/",
    "Log":  "Security",
    "EventID":  4672,
    "Message":  "Multiple admin logons for one account",
    "Results":  "Username: Sec504\nUser SID Access Count: 2",
    "Command":  "",
    "Decoded":  ""
}

Good luck!

therajvira commented 2 years ago

Hey Joshua,

Thanks a lot again, this has worked for us.

Regards