I'm relatively new to NXLog and to Alien Vault Log ingestion. I have followed their set up guide here, https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/setup/linux-logs-nxlog.htm?Highlight=linux%20logs%20nxlog.
We are using NxLog EE and the nxlog manager to push configs.
I have two modules I'm looking to collect logs with and I feel that they are pretty straight forward. I'm trying to capture /var/log/messages and the audit.log. Also wanting to capture the FIM.
Using the im_file module. I'm able to capture these logs and they get to AlienVault, they are even parsed in Json which looks nice. My issue is that you can really report on anything as they don't generate any useful flags in which Alien Vault can use to trigger alarms and such. A lot of the logs get flagged as Alien Vault Generic Results, which means that the format isn't triggering their Alien Vault Data Source plugins. Some logs are getting recognized by Alien Vault and triggering the appropriate data source, but they are also not getting any useful information to report on. When I compare these logs to the Windows logs that we are capturing, the Linux logs have significantly less metadata within them. Something as simple as eventoutcome would be nice, like if I wanted to see failed attempts to elevate to sudo and see that event fail and generate and alert.
I'm wondering if anyone would mind sharing their module configs for Linux if you use Alien Vault (ATT USM) as your SIEM.
Here is my current config I am using.
Exec parse_syslog(); \
$Hostname = hostname(); \
$FQDN = hostname_fqdn(); \
$Tag = "audit"; \
$SourceName = "selinux"; \
$Message = $Raw_Event;
Exec $EventTime = $EventReceivedTime;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000;
Exec $Message = to_json(); to_syslog_bsd();
Exec $SourceName = "FIM-LINUX-NXLOG-EE";
Exec $EventTime = strftime($EventTime, '%Y-%m-%d %H:%M:%S');
Exec $EventReceivedTime = strftime($EventReceivedTime, '%Y-%m-%d %H:%M:%S');
Exec to_json(); to_syslog_bsd();
Path var_audit_in, var_messages_in => out_syslog_ssl_br
Path fim_linux => out_fim_linux_ssl_BR