In certain situations one needs to inspect the output of CloudConnectors in a manner that does not interrupt its normal operation of sending the logs to a (remote) syslog destination.
We will use rsyslog, a syslog service that is installed by default on many Linux distributions.
The setup will output to a local file at /var/log/sk4.log, and set up a local syslog listener at TCP on <machine private ip>:5514
Once the SIEM on CloudConnectors is configured to send there, it'll both persist the events locally in this file AND forward them to an external SIEM destination.
Setup
- Save the below script into a local file, e.g. setup.sh
#!/usr/bin/env bash
# setup rsyslog rule to split to both local file and to forward to another TCP destination
while getopts "p:s:h" opt; docase $opt inh) HELPONLY=true;;p) FWDPORT="$OPTARG";;s) FWDIP="$OPTARG";;\?) echo "Invalid option -$OPTARG" >&2;;esacdone
LOCAL_TARGET_FILE=/var/log/sk4.log
print_help(){echo "usage: sudo ./setup.sh -s [IP to forward messages to. mandatory] -p [port to forward messages to]"echo "locally messages will be logged to $LOCAL_TARGET_FILE"}
if [[ ${HELPONLY} == true ]]; thenprint_helpexit 0;fi
if [[ -z "$FWDIP" ]]; thenecho "Target IP was not provided via -s flag. Aborting, here's the help:"print_helpexit 1;fi
if [[ -z "$FWDPORT" ]]; thenecho "Target port was not provided via -p flag. Aborting, here's the help:"print_helpexit 1;fi
cat <<EOT > /etc/rsyslog.d/20-sk4-local-and-fwd.conf# Load Modulesmodule(load="imtcp")module(load="omfwd")
ruleset(name="sk4localandsplit"){# log locallyaction(type="omfile"File="/var/log/sk4.log")# forward to somewhere elseaction(type="omfwd"Target="$FWDIP"Port="$FWDPORT"Protocol="tcp")# stop propagating this messagestop}
input(type="imtcp" port="5514" ruleset="sk4localandsplit")EOT
# ensure proper permissions to local filetouch $LOCAL_TARGET_FILEchown syslog:syslog $LOCAL_TARGET_FILEchmod 644 $LOCAL_TARGET_FILE
# apply by restarting rsyslogsystemctl restart rsyslog - change make it executable
chmod +x setup.sh
- Run it with sudo, provide the target IP and port of the syslog receiver to which you'd like to forward the messages to, e.g.
sudo ./setup.sh -s 1.2.3.4 -p 1514
- Find the private IP of the host, so to configure CloudConnector SIEM integration to send to, by inspecting the output of ifconfig command
- Setup SIEM Integration to send to this local IP, on port 5514 - guide
DONE!
Comments
0 comments
Please sign in to leave a comment.