Re: SysLog Parser in Metron
Thanks, it was helpful On Wed, Oct 25, 2017 at 7:29 PM, Ahmed Shah wrote: > Hello Farrukh, > > > Our team was able to report simple Dionaea alerts to Metron using syslog > v8 (not encrypted). > > > > The source code for our project is here: > > https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/ > > More specifically... syslog config files for our honeypots are here: > > https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/ > SampleLogFiles/configForHP-notEnc > > > More specifically... syslog config files for the Metron server are > here: > > https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/ > SampleLogFiles/configForServer-notEnc > > > GROK parser pattern used: > > https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc- > installation-scripts/master/images/Dionaea-ManagementUI.png > > > https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/ > SampleLogFiles/README.md > > > > > Nifi setup in Metron Server: > > https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc- > installation-scripts/master/images/nifiDionaeaKafka.png > > > > > Hope it helps. > > > -Ahmed > ___ > Ahmed Shah (PMP, M. Eng.) > Cybersecurity Analyst & Developer > GCR - Cybersecurity Operations Center > Carleton University - cugcr.com <https://cugcr.com/tiki/lce/index.php> > > > -- > *From:* Simon Elliston Ball > *Sent:* October 25, 2017 3:47 AM > *To:* user@metron.apache.org > *Subject:* Re: SysLog Parser in Metron > > Short answer: grok parsers. > > Longer answer: syslog is more a transport, not just a log format, so it > encapsulates a wide variety of data sources. Your best bet is probably to > use NiFi to listen for syslog from a remote host (ListenSyslog) and then > route each application in the syslog to a different kafka topic. That way > you have kafka topics for each type of data you care about eg sshd, login, > cups... whatever. From there it’s easiest to use a grok parser in metron to > pull out the fields. There are many prebuilt patterns for the common > services around on the web. > > Simon > > > On 25 Oct 2017, at 05:55, Farrukh Naveed Anjum > wrote: > > > > Hi, > > > > How can I get syslog in metron any help (pattern / parser). Kindly help ? > > > > -- > > With Regards > > Farrukh Naveed Anjum > -- With Regards Farrukh Naveed Anjum
Re: SysLog Parser in Metron
Hello Farrukh, Our team was able to report simple Dionaea alerts to Metron using syslog v8 (not encrypted). The source code for our project is here: https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/ More specifically... syslog config files for our honeypots are here: https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForHP-notEnc More specifically... syslog config files for the Metron server are here: https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForServer-notEnc GROK parser pattern used: https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/Dionaea-ManagementUI.png [https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/Dionaea-ManagementUI.png] https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/blob/master/SampleLogFiles/README.md Nifi setup in Metron Server: https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/nifiDionaeaKafka.png [https://raw.githubusercontent.com/LTW-GCR-CSOC/csoc-installation-scripts/master/images/nifiDionaeaKafka.png] Hope it helps. -Ahmed ___ Ahmed Shah (PMP, M. Eng.) Cybersecurity Analyst & Developer GCR - Cybersecurity Operations Center Carleton University - cugcr.com<https://cugcr.com/tiki/lce/index.php> From: Simon Elliston Ball Sent: October 25, 2017 3:47 AM To: user@metron.apache.org Subject: Re: SysLog Parser in Metron Short answer: grok parsers. Longer answer: syslog is more a transport, not just a log format, so it encapsulates a wide variety of data sources. Your best bet is probably to use NiFi to listen for syslog from a remote host (ListenSyslog) and then route each application in the syslog to a different kafka topic. That way you have kafka topics for each type of data you care about eg sshd, login, cups... whatever. From there it’s easiest to use a grok parser in metron to pull out the fields. There are many prebuilt patterns for the common services around on the web. Simon > On 25 Oct 2017, at 05:55, Farrukh Naveed Anjum > wrote: > > Hi, > > How can I get syslog in metron any help (pattern / parser). Kindly help ? > > -- > With Regards > Farrukh Naveed Anjum
Re: SysLog Parser in Metron
Short answer: grok parsers. Longer answer: syslog is more a transport, not just a log format, so it encapsulates a wide variety of data sources. Your best bet is probably to use NiFi to listen for syslog from a remote host (ListenSyslog) and then route each application in the syslog to a different kafka topic. That way you have kafka topics for each type of data you care about eg sshd, login, cups... whatever. From there it’s easiest to use a grok parser in metron to pull out the fields. There are many prebuilt patterns for the common services around on the web. Simon > On 25 Oct 2017, at 05:55, Farrukh Naveed Anjum > wrote: > > Hi, > > How can I get syslog in metron any help (pattern / parser). Kindly help ? > > -- > With Regards > Farrukh Naveed Anjum
SysLog Parser in Metron
Hi, How can I get syslog in metron any help (pattern / parser). Kindly help ? -- With Regards Farrukh Naveed Anjum