Ask questions. Get answers. Find technical product solutions from passionate experts in the NXLog community.
Linux to Alien Vault formatting
rwebster created
I'm relatively new to NXLog and to Alien Vault Log ingestion. I have followed their set up guide here, https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/setup/linux-logs-nxlog.htm?Highlight=linux%20logs%20nxlog.
We are using NxLog EE and the nxlog manager to push configs.
I have two modules I'm looking to collect logs with and I feel that they are pretty straight forward. I'm trying to capture /var/log/messages and the audit.log. Also wanting to capture the FIM.
Using the im_file module. I'm able to capture these logs and they get to AlienVault, they are even parsed in Json which looks nice. My issue is that you can really report on anything as they don't generate any useful flags in which Alien Vault can use to trigger alarms and such. A lot of the logs get flagged as Alien Vault Generic Results, which means that the format isn't triggering their Alien Vault Data Source plugins. Some logs are getting recognized by Alien Vault and triggering the appropriate data source, but they are also not getting any useful information to report on. When I compare these logs to the Windows logs that we are capturing, the Linux logs have significantly less metadata within them. Something as simple as eventoutcome would be nice, like if I wanted to see failed attempts to elevate to sudo and see that event fail and generate and alert.
I'm wondering if anyone would mind sharing their module configs for Linux if you use Alien Vault (ATT USM) as your SIEM.
Here is my current config I am using.
LogLevel INFO
Logfile %LOGDIR%/nxlog.log
<Extension agent_managment>
Module xm_soapadmin
Connect 1.1.1.1
Port 4041
SocketType SSL
CAFile %CERTDIR%/agent-ca.pem
AllowUntrusted FALSE
RequireCert TRUE
<ACL conf>
Directory %CONFDIR%
AllowRead TRUE
AllowWrite TRUE
</ACL>
<ACL cert>
Directory %CERTDIR%
AllowRead TRUE
AllowWrite TRUE
</ACL>
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input var_messages_in>
Module im_file
File '/var/log/messages'
InputType LineBased
SavePos TRUE
Exec parse_syslog();
</Input>
<Input fim_linux>
Module im_fim
File '/bin/'
File '/etc/'
File '/lib/'
File '/opt/nxlog/bin/'
File '/opt/nxlog/lib/'
File '/sbin/'
File '/usr/bin/'
File '/usr/sbin/'
Exclude '/etc/hots.deny'
Exclude '/etc/mtab'
</Input>
<Input var_audit_in>
Module im_file
File '/var/log/audit/audit.log'
InputType LineBased
SavePos FALSE
Exec parse_syslog();
$Hostname = hostname();
$FQDN = hostname_fqdn();
$Tag = "audit";
$SourceName = "selinux";
$Message = $Raw_Event;
</Input>
<Output out_syslog_ssl_br>
Module om_ssl
Host 1.1.1.1
Port 6514
OutputType LineBased
CAFile %CERTDIR%/agent-ca.pem
CertFile %CERTDIR%/agent-cert.pem
CertKeyFile %CERTDIR%/agent-key.pem
Exec $EventTime = $EventReceivedTime;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
</Output>
<Output out_fim_linux_ssl_BR>
Module om_ssl
Host 1.1.1.1
Port 6514
OutputType Binary
CAFile %CERTDIR%/agent-ca.pem
CertFile %CERTDIR%/agent-cert.pem
CertKeyFile %CERTDIR%/agent-key.pem
Exec $SourceName = "FIM-LINUX-NXLOG-EE";
Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S');
Exec $EventReceivedTime = strftime($EventReceivedTime, '%Y-%m-%d %H:%M:%S');
Exec to_json(); to_syslog_bsd();
</Output>
<Route route_syslog>
Priority 1
Path var_audit_in, var_messages_in => out_syslog_ssl_br
</Route>
<Route FIM>
Priority 2
Path fim_linux => out_fim_linux_ssl_BR
</Route>
rwebster created
CSV file in Linux
multiplierx created
Hello everyone,
As you can see from my NXlog config below, I am pulling the Linux auth logs in and passing them to our SIEM platform. The auth logs work fine, however as you can also see I am trying to pull in a CSV file that is located on the Linux box. Each individual event is surrounded by curly brackets e.g: {'event}, so I would like to just pull each event into a field called message and then parse these messages on our SIEM platform. I can't seem to get this to work whatsoever, the TCP connection initiates, but NXlog doesn't pickup the CSV file. Any ideas?
Cheers
G
########################################
# Global directives #
########################################
User nxlog
Group nxlog
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
########################################
# Modules #
########################################
<Extension _syslog>
Module xm_syslog
</Extension>
<Input auth_logs>
Module im_file
File "/var/log/auth.log"
SavePos TRUE
ReadFromLast TRUE
</Input>
<Output to_relay>
Module om_tcp
Host 127.0.0.1
Port 20009
OutputType LineBased
</Output>
########################################
# Routes #
########################################
<Route 1>
Path auth_logs => to_relay
</Route>
<Extension csv1>
Module xm_csv
Fields $Message
Delimiter '{'
</Extension>
<Input filein>
Module im_file
File "/etc/ingest/sucuri/sucuri.csv"
Exec csv1->parse_csv();
</Input>
<Output test>
Module om_tcp
Host 127.0.0.1
Port 20002
OutputType Binary
</Output>
<Route 2>
Path filein => test
</Route>
multiplierx created
Error when I install nxlog on REDHAT tikanga
Ely created
Hello ,
Do someone have an issue when install on REDHAT TIKANGA ??
Error message bellow mentioned :
~[root@osgdt01 tmp]# rpm -ivh nxlog-3.0.1814-1_rhel6.x86_64.rpm
error: nxlog-3.0.1814-1_rhel6.x86_64.rpm: Header V4 RSA/SHA1 signature: BAD, key ID 1da9e40e
error: nxlog-3.0.1814-1_rhel6.x86_64.rpm cannot be installed
anyone know what's signature: BAD ??
I have no idea for this error message , even I google it .
Thanks
Ely created