responses
We are in the process of ditching solarwinds kiwi syslog because its not performing, and is instable after every .net update. We mostly use syslog as an proxy between the customer network and our own datacenter where the siem is located.
One of the things we heavely use is an filter like log received from
host x.x.x.x message text contains " modsecurity "
then forward the log to our siem but with an bogus ip adres like 127.0.12.1 we use this to split the logs to seperate logsources is such a filter possible with NXLog (community) we want to purchase the software but need to build a poc first
what we want to accomplish first, before doing fancy stuff is
listen on udp port 514 , forward that logs to an remote syslog server
i was thinking it was something simple like :
Module xm_syslog
<Input in>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
<Output outtcp>
Module om_tcp
Host 10.202.5.10
Port 530
Exec to_syslog_bsd();
</Output>
<Route 1>
Path in => out, outtcp
</Route>
but that doesn rly do anything
Comments (2)
yeah i got something working now (i've installed the trial), it was the local windows firewall it was only open for the kiwi syslog process and not the nxlog process.
however the first thing i want / need to accomplish is the following i now get an log like
<135> 06/05/2020:18:51:29 GMT HOSTNAME 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 8169048 0 : Backend SPCBId 3463845 - ServerIP x.x.x.x - ServerPort 443 - ProtocolVersion TLSv1.2 - CipherSuite "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Non-Export 256-bit" - Session New - SERVER_AUTHENTICATED -SerialNumber "info" - SignatureAlgorithm "sha256WithRSAEncryption" - ValidFrom "Jan 22 00:00:00 2020 GMT" - ValidTo "Jan 21 12:00:00 2022 GMT" - HandshakeTime 31 ms
this log isnt recognised on the correct logsource because the logsource identifier was sourceip which kiwi syslog added in front of the message
<135>Apr 28 20:50:58 sourceip Kiwi_Syslog_Server 28/04/2020:18:51:23 GMT __hostname __ 0-PPE-2 : default SSLLOG SSL_HANDSHAKE_SUCCESS 2922976 0 : SPCBId 2364689 - ClientIP x.x.x.x - ClientPort 49807 - VserverServiceIP x.x.x.x - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Non-Export 128-bit" - Session Reuse - HandshakeTime 20 ms
is that something we can accomplish with nxlog also.
Hi,
Yes, this can be done with NXLog. I believe for your use case easiest way would be to use
xm_rewrite
module. Please check more on it here~MisaZ