syslog export to siem

[Ari-R]

Hi I am trying to export syslogs to a SIEM using this script. The script downloads the logs fine and stores them in the results.txt but it is seems to not be sending the logs onto the SIEM. Im preety sure my config is right(copied below), but seems like nothing at all is being sent.

[login] -# API Access URL + Headers -# API token setup steps: https://community.sophos.com/kb/en-us/125169 token_info = mytokeninfo

-# format can be json, cef or keyvalue format = json

-# filename can be syslog, stdout, any custom filename filename = syslog

-# endpoint can be event, alert or all endpoint = event

-# syslog properties -# for remote address use :, for e.g. 192.1.2.3:514 -# for linux local systems use /dev/log -# for MAC OSX use /var/run/syslog address = xxx.xxx.xxx.xxx:514 facility = daemon socktype = udp

edit: after checking a tcpdump of what is being sent when i run the script i get this:

-Syslog message id: : PAM unable to dlopen(/usr/lib64/security/pam_passwdqc.so): /usr/lib64/security/pam_passwdqc.so: cannot open shared object file: No such file or directory -Syslog message id: : PAM adding faulty module: /usr/lib64/security/pam_passwdqc.so

among some other things also. Think this may have something to do with it.

[anil-sophos]

@Ari-R Are you still facing the issue ?

[kaushal-sophos]

@Ari-R Your configuration seems to be correct. If you are still facing the issue with Syslog configuration please make sure that the port that you have configured is open on a remote SIEM instance. We verified the configuration with both TCP and UDP protocols and it seems to be working as expected.

[ramksophos]

Closing this as an old issue. Please reopen when you have more info that might help us debug the problem.