AnsweredAssumed Answered

How to send logs to RSA from Graylog?

Question asked by V3hrrWee8o4GRIeBwlhoBrSOzr0faybbj8vAoBBfuAo= on Apr 17, 2016
Latest reply on Apr 19, 2016 by David Waugh

Like • Show 0 Likes0
Comment • 5

Hi,

We are running SA 10.5.

Currently, most of our logs are sent to Graylog, helping out DevOps teams on operational matters. Windows logs are sent up with NXlog, we have some syslog, app logs are sent with graylog-collector in GELF or plain format.

In order to support our security analysts as well, using SA, I'd like to send the raw logs that are coming to the Graylog right before they enter, for example with Logstash to split the flow.

My question is: Can I send a stream of logs directly to the VLC's rabbitMQ? What would be alternative ways to push logs out to the RSA chain otherwise? Straight to the decoder somehow? or ESA?

Thank you.

Best,

fred

No one else has this question

Outcomes

5 Replies

David Waugh Apr 18, 2016 2:48 AM
Mark Correct
Correct Answer
Hello

As long as you can get the logs into security analytics then we can parse them.

If the logs reside as files on the disk then you could upload them with the sftp agent.

If you can send them directly as syslog then that would be even easier.

Would any of these ways be possible?

Once you have the method of getting the logs into SA we can assist with the rest.

Sent from my iPhone
Like • Show 0 Likes0
Actions
- V3hrrWee8o4GRIeBwlhoBrSOzr0faybbj8vAoBBfuAo= @ David Waugh on Apr 18, 2016 3:54 PM
  Mark Correct
  Correct Answer
  Hi David,
  
  Yes, I know all this. I was just wondering if there was an alternative way that could be used, instead of the "oldies" sftp and other plain syslog.
  
  Since you're using rabbitMQ, it seems a bit odd that we can't use it as such to input message to the VLC for example. I would even expect some Kafka for high loads.
  
  When used to the recent tools, RSA looks like a dinosaur; I wish that could change?
  
  Thanks,
  fred
  Like • Show 0 Likes0
  Actions
David Waugh Apr 18, 2016 6:51 AM
Mark Correct
Correct Answer
Hi Can you configure

Graylog Marketplace

This has an output plugin that will send graylogs to Syslog which we can then ingest into SA.

The log messages look fairly structured for example:
<14>1 2016-03-31T19:31:46.358Z graylog unknown - nginx [all@0 request_verb="GET" remote_addr="192.168.1.37" response_status="404" from_nginx="true" level="6" connection_requests="1" http_version="1.1" response_bytes="1906" source="nginx" message="GET /test1/2 HTTP/1.1" gl2_source_input="566c96abe4b094dfbc2661a8" version="1.1" nginx_access="true" http_user_agent="Wget/1.15 (linux-gnu)" remote_user="-" connection_id="1755" http_referer="-" request_path="/test1/2" gl2_source_node="bebd092c-85d7-49a3-8188-f7af734747fb" _id="34cb0f40-f777-11e5-b30c-0800276c97db" millis="0.002" facility="runit-service" timestamp="2016-03-31T19:31:46.000Z"] GET /test1/2 HTTP/1.1

So it would be possible to write a parser for this.

Even better - it looks like it may be possible to send output from graylog using a CEF output. We have a CEF parser in Security Analytics so you wouldnt need to write your own parser.
Like • Show 0 Likes0
Actions
- V3hrrWee8o4GRIeBwlhoBrSOzr0faybbj8vAoBBfuAo= @ David Waugh on Apr 18, 2016 3:58 PM
  Mark Correct
  Correct Answer
  Hi again,
  
  Thanks, yes I know about this plugin. I was just wondering about something else, as expressed above.
  
  However, in the "structured" mode you copy-pasted above, I don't think the out-of-the-box parser of RSA would work right? The goal is to have the decoder stuff just work, so no extra has to be added, just the raw stuff (which I obviously can get working there since I have the source code, and even the "plain" mode may work.
  
  Thanks about your hint about CEF.
  
  Cheers,
  fred
  Like • Show 0 Likes0
  Actions
  - David Waugh @ V3hrrWee8o4GRIeBwlhoBrSOzr0faybbj8vAoBBfuAo= on Apr 19, 2016 5:12 AM
    Mark Correct
    Correct Answer
    Hi I think the CEF format will be the best way to go in your case then.
    Like • Show 0 Likes0
    Actions

How to send logs to RSA from Graylog?

Outcomes

Related Content

Recommended Content