This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

syslog integration

ShishirKumar2
Beginner
Beginner

‎2016-04-18 06:25 AM

How do I integrate syslog based devices with Security Analytics 10.5 without a remote collector installed on the syslog server.

 

In Qradar, just by forwarding the syslog to the event collector, it is auto discovered. What is the mechanism here?

7 REPLIES 7

Anonymous
Not applicable

‎2016-04-18 06:32 AM

In RSA, it works similarly. If the parser is enabled on Log Decoder > Config, the devices are auto discovered. You just have to configure the event sources to forward the log data to the log decoder( if you do not use VLC).

DeepanshuSood1
Beginner
Beginner

‎2016-04-18 06:33 AM

It is very easy in collection of the syslogs from syslog supported event sources.

You just only need to give your Log Decoder ip address or VLC ip address on the host (event sources) to start forwarding the logs on the log decoder.

 

That’s it.

DavidWaugh1
Employee
Employee

‎2016-04-18 06:36 AM

Hi also make sure that in your iptables on your logdecoder that you allow syslog traffic.

 

In /etc/sysconfig/iptables make sure the following lines are above your reject line:

 

-A INPUT -p tcp -m multiport --ports 514 -m comment --comment "4 Syslog TCP Port" -j ACCEPT

-A INPUT -p udp -m multiport --ports 514 -m comment --comment "4 Syslog UDP Port" -j ACCEPT

 

After making these changes make sure that you restart your iptables with service iptables restart

ShishirKumar2
Beginner
Beginner
In response to DavidWaugh1

‎2016-04-19 05:12 AM

Hi David,

 

Thanks for the sugegstion. I modified the tables as suggested here and started receiving logs. Now, I am facing another problem. The log sources are getting detected with the same source ip (of the syslog server) I want them to be detected by the devices that are reporting to the syslog server (using syslog-ng). Moreover, few log sources are coming with the type unknown, Please help me with how I can define parsers for them . I am new to SA so excuse any dumb questions.

DavidWaugh1
Employee
Employee

‎2016-04-19 05:29 AM

I would recommend that you install a Remote VLC and send syslog directly to this VLC, rather than direct to the log decoder.

The reason for this is the syslog receiver can be configured to extract the information for the syslog header.

 

These settings are defined in explore view for Remote Log Collection ->Log Collection ->Event Sources ->Syslog -UDP (or TCP) ->tcp514

 

The settings are:

rfc3164_include_header in message

rfc3164hdr_enable

rfc3164hdr_use_ip

rfc3164hdr_use_time

If you float your mouse over the settings then context sensitive help will be displayed.

 

For information on writing your own parsers please see:

 

Custom Parsers

JohnTyson1
Beginner
Beginner

‎2016-05-13 12:45 PM

It is pretty cool the way that it works, as the log comes in the Remote VLC or log decoder it will analyze at the header section; then compare that all enabled parsers.  It then rates it to determine which parser should be used.  This is why you want to disable as many parsers as possible.  It can help the false positive rate of comparison and reduces resource overhead.  If anyone reading this sees my interpretation of the process as incorrect please comment.

0 Likes

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-11-09 04:13 PM

Auto discovery works the same way in Security Analytics.  Keep in mind, you can also hard-code an IP to a particular parser if there are multiple matches causing SA to set it as Unknown device.  The hard coding can be done until the Log Decoder -> View -> Config options.

© 2022 RSA Security LLC or its affiliates. All rights reserved.