An evening focused discussing the [often] missing layers of event collection within Splunk deployments. We'll cover the ins and outs of traditional syslog collection and also explore how the Splunk HTTP Event Collector can be used to similar effect.
7. Syslog - Analysis and Collection
Graeme Curtis
Head of Research & Development, ECS Security
8. agenda
• syslog overview
• different syslog flavours
• modular syslog configuration
• debugging your configuration
• packaging as a Splunk app
• logfile weeding
• architecture
9. what is syslog?
• a shared message logging service originally created on BSD in the 1980’s
• logging follows a standard format
<34>Oct 11 22:14:15 MYMACHINE su: 'su root' failed for gac on /dev/pts/8
priority timestamp hostname tag message
RFC316
4<34>1 2003-10-11T22:14:15.003Z mymachine.example.com su - - - 'su root' failed for gac on /dev/pts/8
RFC542
4
priority
version
timestamp hostname processname
pid
msgid
bom
message
• actually, many vendors do exactly as they please and often ignore
the syslog standards
10. the right way to ingest syslog
• simply open a couple of listening ports TCP/UDP514
• choose a unique port per device type
• collect syslog sources on dedicated syslog servers
recommendation:
1. always implement standalone syslog servers as part of your Splunk Infrastructure
2. ensure that the configuration of the syslog server is a responsibility of the Splunk team
11. syslog server options
• choose a *nix operating system
• two common options for syslog servers
recommendation:
rsyslog is my preferred choice as it doesn’t implement a dual license model
‘advanced’ features of syslog-ng are only available via a commercial license
12. creating a modular rsyslog config
• rsyslog configurations can be broken down into 4 major components:
1. globals –
defining global variables such as queue / message size
loading modules such as udp and tcp sockets
2. inputs –
describes message input types
3. rules –
determines what action to take when a message is received
4. templates –
sets the output format of the message
13. creating a modular rsyslog config
• rsyslog will allow the use of include files and hence we can readily
modularise each of the components
/etc/rsyslog.conf
/etc/rsyslog.d/splunk.conf
/etc/rsyslog.d/splunk-global
/etc/rsyslog.d/splunk-inputs
/etc/rsyslog.d/splunk-rules
/etc/rsyslog.d/splunk-templates
Let’s have a look at how we structure our filesystem and what goes
where…
14. testing your configuration 1
whenever you onboard a syslog source, always keep a representative
example of events in the ./splunk-tests directory
15. testing your configuration 2
remember we mentioned vendors sending non-standard syslog…
Nov 2 15:04:45 10.91.254.15 devname=SGPDC22-F3-NFW01 devid=FGT1KD3916801084 vd=root
date=2017-11-02 time=15:04:42 logid=0100100032002 type=event subtype=system level=alert
vd=root logdesc="Admin login failed" sn=0 user="c" ui=console method=console srcip=0.0.0.0
dstip=0.0.0.0 action=login status=failed reason="name_invalid" msg="Administrator c login
failed from console because of invalid user name"
16. testing your configuration 3
consider the rules…
Nov 2 15:04:45 10.91.254.15 devname=SGPDC22-F3-NFW01 devid=FGT1KD3916801084 vd=root date=2017-11-02 time=15:04:42
logid=0100100032002 type=event subtype=system level=alert vd=root logdesc="Admin login failed" sn=0 user="c" ui=console
method=console srcip=0.0.0.0 dstip=0.0.0.0 action=login status=failed reason="name_invalid" msg="Administrator c login failed from
console because of invalid user name"
if $msg contains 'devid=FGHA' then {
action(type="omfile" DynaFile="syslog_514_fortigateha" ...)
stop
}
if $msg contains 'devid=FG' then {
action(type="omfile" DynaFile="syslog_514_fortigate” ...)
stop
}
17. testing your configuration 3
consider the templates…
Nov 2 15:04:45 10.91.254.15 devname=SGPDC22-F3-NFW01 devid=FGT1KD3916801084 vd=root date=2017-11-02 time=15:04:42
logid=0100100032002 type=event subtype=system level=alert vd=root logdesc="Admin login failed" sn=0 user="c" ui=console
method=console srcip=0.0.0.0 dstip=0.0.0.0 action=login status=failed reason="name_invalid" msg="Administrator c login failed from
console because of invalid user name"
if $msg contains 'devid=FGHA' then {
action(type="omfile" DynaFile="syslog_514_fortigateha" ...)
stop
}
if $msg contains 'devid=FG' then {
action(type="omfile" DynaFile="syslog_514_fortigate" ...)
stop
}
template (name="syslog_514_fortigate” … string=”…/fortigate/%msg:R,ERE,1,DFLT:devname=([^ ]+)--end%/%fromhost-ip%.log")
template (name="syslog_514_fortigateha” … string=”…/fortigate/%msg:R,ERE,1,DFLT:[ ]vd=([^ ]+)--end%/%fromhost-ip%.log")
Some template content snipped for ease of reading
18. testing your configuration 4
debugging is configured in our standard policy via a global variable…
# Set debug status to either true or false
set $/debug = "false";
19. testing your configuration 5
this will redirect message flow from the syslog_514 ruleset to the debug
ruleset …
# Set debug status to either true or false
set $/debug = "false";
ruleset(name="syslog_514") {
$RulesetCreateMainQueue on # Create ruleset specific main queue for performance benefit
if $/debug == 'true' then {
call debug
stop
}
20. testing your configuration 6
add a couple of variables to allow you to track what’s happening in the
config…
# Set debug status to either true or false
set $/debug = "false";
ruleset(name="syslog_514") {
$RulesetCreateMainQueue on # Create ruleset specific main queue for performance benefit
if $/debug == 'true' then {
call debug
stop
}
if $msg contains 'devid=FG' then {
set $!debugrule="fortigate_rule_002";
set $!debugtemplate="fortigate";
action(type="omfile" file="/var/splunk-syslog/debug/debug.log" template="debug")
stop
}
21. testing your configuration 7
finally, we output the message as it’s been parsed by rsyslog into JSON
…
ruleset(name="syslog_514") {
$RulesetCreateMainQueue on # Create ruleset specific main queue for performance benefit
if $/debug == 'true' then {
call debug
stop
}
if $msg contains 'devid=FG' then {
set $!debugrule="fortigate_rule_002";
set $!debugtemplate="fortigate";
action(type="omfile" file="/var/splunk-syslog/debug/debug.log" template="debug")
stop
}
template (name="debug" type="list") {
property(name="jsonmesg")
constant(value="n")
}
22. logfile weeding
remember to clean-up any locally stored logfiles…
- can use logrotate
- or alternatively, use your templates to create a folder structure
containing datetime values and schedule a simply deletion script.