Integration with SIEM or remote log server

Introduction

This article documents the steps needed to export Enterprise Recon logs to your own 'syslog'/SIEM server.

 

Instructions

Follow these simple steps to point Enterprise Recon to export logs to your remote log server:

  1. Login to your Enterprise Recon Master Server Terminal console as 'root'
  2. Enter the command; er2-dsclient
  3. Enter the command; set log/remote/<IP ADDRESS OF REMOTE LOG SERVER> 1
    (eg. set log/remote/192.168.77.17  1)

To view the list of configured servers;

  1. Login to your Enterprise Recon Master Server Terminal console as 'root'
  2. Enter the command; er2-dsclient
  3. Enter the command; index log/remote

To remove a configured server;

  1. Login to your Enterprise Recon Master Server Terminal console as 'root'
  2. Enter the command; er2-dsclient
  3. Enter the command; delete log/remote/<IP ADDRESS OF SERVER TO REMOVE>
    (eg. delete log/remote/192.168.77.17)

 

List of logged events

  • agent
  • authenticator
  • logger
  • datastore
  • mailer
  • overseer
  • ui
  • report
  • intel
  • policy
  • activedirectory
  • acl
  • receiver

 

*Note: The above SIEM solution has been tested by Ground Labs support, using the following SIEM platforms: Manage Engine-EventLog; Syslog-ng; XpoLog and Visual Syslog Server.

 

Port Information

The above solution communicates via UDP port 514. This is a default setting which is hard coded into the Dsclient remote service.

Should you wish to send the Syslogs via a different port, please follow the below steps.

*Take note that the below mentioned steps are not linked to our standard method of SIEM integration, as outlined in the above article. The standard method above uses the in built Dsclient remote service, whereas the below will use the Syslog Daemon to send the logs to your chosen syslog server.

**Also note that if you choose to use this method, logs will no longer be stored in the following directory, as is the case with our preferred dsclient method:  /var/lib/er2/*.log files

 

Instructions

Step 1

  • Login to the master server as 'root'
  • Type the following to navigate to ER2:  cd /var/lib/er2
  • Add the following line to each of the 12 config files for each service, by using the VI editor;
  1. Type: vi acl.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file. 
  2. Type: vi activedirectory.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  3. Type: vi authenticator.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  4. Type: vi datastore.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  5. Type: vi intel.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  6. Type: vi logger.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  7. Type: vi mailer.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  8. Type: vi overseer.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  9. Type: vi policy.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  10. Type: vi receiver.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  11. Type: vi report.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file.
  12. Type: vi ui.cfg and hit enter. Add this line within the `<cfg> </cfg>` tags, by hitting esc then i: <syslog>1</syslog>  -  Then hit esc and type :wq and enter to save the file and exit.

*See attached screen grab (Edited config file) as an example of the edited config file.

 

Step 2

  • Add the below lines into the rsyslog.conf file, by typing:  vi /etc/rsyslog.conf
  • :programname,isequal,"er2-master" @<host>:<port>
    :programname,isequal,"acl" @<host>:<port>
    :programname,isequal,"activedirectory" @<host>:<port>
    :programname,isequal,"datastore" @<host>:<port>
    :programname,isequal,"intel" @<host>:<port>
    :programname,isequal,"logger" @<host>:<port>
    :programname,isequal,"mailer" @<host>:<port>
    :programname,isequal,"policy" @<host>:<port>
    :programname,isequal,"receiver" @<host>:<port>
    :programname,isequal,"report" @<host>:<port>
    :programname,isequal,"ui" @<host>:<port>


  • Where @ refers to a UDP port and @@ would refer to a TCP port
  • For example, if we want to use UDP port 557 and host 192.168.56.1, the line would be entered as follows:  :programname,isequal,"er2-master" @192.168.56.1:557
  • Once the file has been amended, hit esc and :wq to save and exit

*See attached screen grab (Edited rsyslog file) as an example of the edited syslog file.

 

Step 3

  • Restart the Syslog service, by entering:  /etc/init.d/rsyslog restart
  • Restart the Master Server, by entering:  /etc/init.d/er2-master restart

 

Troubleshooting a blocked port

*Note that some ports may be blocked by default.

If this is the case, please follow the below steps to unblock your chosen port (NB: This procedure will let you add ports only if they are not defined for other selinux services)

Add the port to trusted ports for syslog, by Installing the semanage tool: 

  • Login to the Master Server as 'root'
  • Run this command:  yum --enablerepo=base install policycoreutils-python
  • Then run:  semanage port -a -t syslogd_port_t -p tcp <port>
  • Replace 'tcp' with 'udp' when you want a udp port
  • Restart the Syslog service, by entering:  /etc/init.d/rsyslog restart
  • Restart the Master Server, by entering:  /etc/init.d/er2-master restart

 

 

All information in this article is accurate and true as of the last edited date.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.