easySIEM
easySIEM
What is easySIEM?
Agents
Osquery
Syslog
Configuring Rsyslog
Collector - Internal Log Receiver
Suricata
Bring your own Any/Agent
Incident & Investigation
User Management
Ticket Creation
Threat Hunting
Live Query and Active Response
Mitre Att&ck Module
Penetration Testing
Nmap Scan
OpenVAS Scan
OWASP ZAP Scan
API Security
Use Cases
Host Intrusion Detection
Network Intrusion Detection/Prevention
Security Logs Analytics and Search
Visualizations
Endpoint Security (Laptops)
File Integrity Monitoring
Automated VAPT
Vulnerability Management
Compliance Management
Alert and Notification
ElastAlert - Handling UI.
Alert Signals Auto Generation
Configuring - Slack, Telegram
Data Security
Deployment Models
Hosting Provider's Security Details
Legal
Privacy Policy
Terms and Conditions
Agreement
Support
Live Chat, Email
Pricing
Powered by GitBook

Configuring Rsyslog

Installing required package for Deb.

sudo apt-get update
sudo apt-get install ca-certificates -y
sudo apt-get install rsyslog-gnutls

Installing required packages for RedHat distributions

sudo yum install ryslog-gnutls
sudo yum-get install ca-certificates -y

sudo nano /etc/rsyslog.d/22-easysiem.conf

For rsyslog version 8.x paste below

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1   # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on   # save messages to disk on shutdown
$ActionQueueType LinkedList    # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
template(name="json-template" type="list") {
      constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
      constant(value="\",\"@version\":\"1")
      constant(value="\",\"message\":\"")     property(name="msg" format="json")
      constant(value="\",\"hostname\":\"")    property(name="hostname")
      constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
      constant(value="\",\"pri\":\"")         property(name="pri-text")
      constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
      constant(value="\",\"programname\":\"") property(name="programname")
      constant(value="\",\"procid\":\"")      property(name="procid")
      constant(value="\",\"fromhost-ip\":\"") property(name="fromhost-ip")
      constant(value="\",\"auth_token\":\"AUTH_TOKEN")
      constant(value="\",\"pack\":\"rsyslog")
      constant(value="\"}\n")
}
# Send messages to easySIEM over TCP using the template.
# ACTION BLOCK
action(type="omfwd" protocol="tcp" target="TARGET_URL" port="8888" 
       template="json-template" StreamDriver="gtls" 
       StreamDriverMode="1" StreamDriverAuthMode="x509/name"
       StreamDriverPermittedPeers="*.easysiem.com")

TARGET_URL - <SUBDOMAIN>-collector.easysiem.com AUTH_TOKEN - Copy Auth Token from configuration section of dashboard.

You may want to add any number of extra value and property. By default the "pack" field value is syslog and "name" is "facility" in the indexed documents.

Minimal Configuration for Auth logs, user management and suricata logs only.

Replace action block with below

if ( $syslogfacility-text startswith "auth"  and
($programname == ["sshd","sudo","su","systemd-logind",
                  "groupdel","groupadd","usermod","useradd",
                  "userdel","groupmod","chage", "chfn"]) 
                  or $syslogtag startswith "suricata") 
then {
                  
action(type="omfwd" protocol="tcp" target="TARGET_URL" port="8888" 
template="json-template" StreamDriver="gtls" 
StreamDriverMode="1" StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.eaysiem.com")             
stop                 
}
Agents - Previous
Syslog
Next
Collector - Internal Log Receiver
Last updated 11 months ago