NxLog and Snort

Tags:

#1 Deleted user 6 years ago

Hello,

I am working on shipping snort logs to an Elastic stack environment. I have found this https://nxlog.co/documentation/nxlog-user-guide.pdf but unfortunately it doesn't seem to help me. It all looks promising on the pdf, but the output does not look like what it shows at the end there. Instead, all of the logs are processed and shipped one line at a time, and as mentioned in that pdf, that is not helpful in this case.

I am using the linux version of the Community Edition and here are sample files:

/var/log/snort/alert:

[] [1:1000001:1] I saw mommy kissing Santa Clause [] [Classification: Generic ICMP event] [Priority: 3] 03/09-15:47:56.187476 src -> dest ICMP TTL:124 TOS:0x0 ID:16888 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:60 ECHO

[] [1:1000001:1] I saw mommy kissing Santa Clause [] [Classification: Generic ICMP event] [Priority: 3] 03/09-15:47:56.187583 src -> dst ICMP TTL:64 TOS:0x0 ID:62815 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:60 ECHO REPLY

/etc/nxlog.conf:

<Extension snort> Module xm_multiline HeaderLine /^[**] [\S+] (.*) [**]/ Exec if $raw_event =~ /^\s+$/ drop(); </Extension>

<Extension _json> Module xm_json </Extension>

<Input in> Module im_file File "/var/log/snort/alert" InputType snort SavePos FALSE ReadFromLast FALSE <Exec> if $raw_event =~ /(?x)^[**]\ [\S+]\ (.*)\ [**]\s+ (?:[Classification:\ ([^]]+)]\ )? [Priority:\ (\d+)]\s+ (\d\d).(\d\d)-(\d\d:\d\d:\d\d.\d+) \ (\d+.\d+.\d+.\d+):?(\d+)?\ -> \ (\d+.\d+.\d+.\d+):?(\d+)?\s+\ /

    {
            $EventName = $1;
            $Classification = $2;
            $Priority = $3;
            $EventTime = parsedate(year(now()) + &quot;-&quot; + $4 + &quot;-&quot; + $5 + &quot; &quot; + $6);
            $SourceIPAddress = $7;
            $SourcePort = $8;
            $DestinationIPAddress = $9;
            $DestinationPort = $10;
    }

</Exec>

</Input>

<Output out> Module om_file File "/root/nxlog/snort"

Exec to_json();

This had to be commented out or all the log entries looked like this...{"EventReceivedTime":"2018-03-09 16:14:21","SourceModuleName":"in","SourceModuleType":"im_file"}

</Output>

but the output in /root/nxlog/snort looks just like it did when it went in. there is no separation of any of the data and everything is on the sames lines as it went in. Nothing is in quotes like in the example.

Any help would be great. Thanks!

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 Deleted user

Hello, I am working on shipping snort logs to an Elastic stack environment. I have found this https://nxlog.co/documentation/nxlog-user-guide.pdf but unfortunately it doesn't seem to help me. It all looks promising on the pdf, but the output does not look like what it shows at the end there. Instead, all of the logs are processed and shipped one line at a time, and as mentioned in that pdf, that is not helpful in this case. I am using the linux version of the Community Edition and here are sample files: /var/log/snort/alert: [] [1:1000001:1] I saw mommy kissing Santa Clause [] [Classification: Generic ICMP event] [Priority: 3] 03/09-15:47:56.187476 src -> dest ICMP TTL:124 TOS:0x0 ID:16888 IpLen:20 DgmLen:60 Type:8 Code:0 ID:1 Seq:60 ECHO [] [1:1000001:1] I saw mommy kissing Santa Clause [] [Classification: Generic ICMP event] [Priority: 3] 03/09-15:47:56.187583 src -> dst ICMP TTL:64 TOS:0x0 ID:62815 IpLen:20 DgmLen:60 Type:0 Code:0 ID:1 Seq:60 ECHO REPLY /etc/nxlog.conf: <Extension snort> Module xm_multiline HeaderLine /^[**] [\S+] (.*) [**]/ Exec if $raw_event =~ /^\s+$/ drop(); </Extension> <Extension _json> Module xm_json </Extension> <Input in> Module im_file File "/var/log/snort/alert" InputType snort SavePos FALSE ReadFromLast FALSE <Exec> if $raw_event =~ /(?x)^[**]\ [\S+]\ (.*)\ [**]\s+ (?:[Classification:\ ([^]]+)]\ )? [Priority:\ (\d+)]\s+ (\d\d).(\d\d)-(\d\d:\d\d:\d\d.\d+) \ (\d+.\d+.\d+.\d+):?(\d+)?\ -> \ (\d+.\d+.\d+.\d+):?(\d+)?\s+\ / { $EventName = $1; $Classification = $2; $Priority = $3; $EventTime = parsedate(year(now()) + "-" + $4 + "-" + $5 + " " + $6); $SourceIPAddress = $7; $SourcePort = $8; $DestinationIPAddress = $9; $DestinationPort = $10; } </Exec> </Input> <Output out> Module om_file File "/root/nxlog/snort" Exec to_json(); This had to be commented out or all the log entries looked like this...{"EventReceivedTime":"2018-03-09 16:14:21","SourceModuleName":"in","SourceModuleType":"im_file"} </Output> <Route> Path in => out </Route> but the output in /root/nxlog/snort looks just like it did when it went in. there is no separation of any of the data and everything is on the sames lines as it went in. Nothing is in quotes like in the example. Any help would be great. Thanks!

I am working on shipping snort logs to an Elastic stack environment.

The user guide has a section on shipping logs to Elasticsearch.

but the output in /root/nxlog/snort looks just like it did when it went in.

vs.

### This had to be commented out or all the log entries looked like this...{"EventReceivedTime":"2018-03-09 16:14:21","SourceModuleName":"in","SourceModuleType":"im_file"} ###

It's because om_file writes to contents of $raw_event. You'll need to format it differently , e.g. use to_json().