If your questions meant if SEC can act as a syslog server and listen
directly of port 514/udp or some other widely used syslog port, the answer
is no, since it accepts input through files and pipes. There are several
well-designed and efficient syslog servers around (in particular, rsyslog)
which focus on fast message reception, and more importantly, it is trivial
to connect SEC to any syslog server. Therefore, implementing a syslog
server inside SEC would be like reinventing the wheel. For making a
connection with syslog server, configure it write to all relevant events to
a file and specify this file to SEC as an input (using the --input option).
Also, some people have configured SEC to be started by the syslog server,
where syslog server then feeds SEC through a pipe interface (for example,
if you are running syslog-ng, you can use the program() destination driver
for this).
If you one of your questions meant if SEC can act as a client to a remote
syslog server, the answer is "it depends on the protocol". Since the 2.7.1
version, you can employ 'udpsock' and 'tcpsock' actions to send custom data
to tcp and udp remote peers. This allows for talking to remote BSD syslog
servers with relatively little effort, because it is not very hard to write
a formatting action for syslog data. However, talking to IETF syslog
servers over TLS is trickier.
There is a very simple workaround to this problem, though -- instead of
talking directly to remote server, you can pass data to the *local* syslog
server which then handles all communication with any remote syslog servers.
You can do it with employing external tools like logger, but also with
SEC's own 'udgram' and 'ustream' actions for making a more efficient direct
connection to the UNIX socket of the local syslog server. Since you
mentioned that you would like to store the output also in a file, you could
do this with the 'write' action.
Hope this information helps. There are several ways of addressing the
problems you have mentioned, and a lot depends on the more precise
description of your environment and requirements.
kind regards,
risto
2013/6/2 termo meter <[email protected]>
> Hi All,
>
> I'm new to SEC and i want to ask a few question.
> I have setup a syslog server to collect/received logs from security
> devices such as firewall and ids. The logs format in text file. My question
> is, how i can use SEC as a correlation engine.
> 1) Can SEC receive input directly from the security devices using syslog
> format.
> 2) Can I have the output result in a text file.
> 3) Can I forward the output result to other syslog server.
>
> Thanks.
>
>
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
