cancel
Showing results for 
Search instead for 
Did you mean: 
ecan007
Level 9

Adding Siem datasource

Jump to solution

I have added a Linux syslog datasource to the Siem.

The syslog events will be forwarded to this datasource on poort 514 and I set the configuration:

Data Source Screen Settings

1. Data Source Vendor – Unix

2. Data Source Model – Linux

3. Data Format – Default

4. Data Retrieval – Default

5. Enabled: Parsing/Logging/SNMP Trap – <Defaults>

6. Name – Name of data source

7. IP Address/Hostname – The IP address and host name associated with the data source

device.

8. Syslog Relay – <Enable>

9. Mask – <Default>

10. Require Syslog TLS – Enable to require the Receiver to communicate over TLS.

11. Support Generic Syslogs – <Default>

12. Time Zone – Time zone of data being sent.

I have even checked the iptables and the ipadres was listed to be allowed to receive messages from

however I see the datasource still inactive and dont see any logs

tcdump showed no packets coming in from the source and even after enabling logging on iptables , I didnt see anything from  the source IP.

Not sure if iptable was logging correctly, but if I look on the source ip within SIem I do see some events:

It seems we do get events in but its been rejected??

How can I correct this?

0 Kudos
1 Solution

Accepted Solutions
yd9038
Level 9

Re: Adding Siem datasource

Jump to solution

The screenshot and the event packet you provided are from a Fortinet firewall.

It appears that the firewall is blocking traffic from the datasource over port 514 to the receiver.

The devices may be in a segmented environment. You will need to work with your firewall engineers to have them enable data flow between the datasource and the receiver.

0 Kudos
7 Replies
infoseced
Level 7

Re: Adding Siem datasource

Jump to solution

CLick on the packet Tab and let's see what the REC is parsing.

0 Kudos
ecan007
Level 9

Re: Adding Siem datasource

Jump to solution

Sorry, where is the packet tab?

Maybe you have a screen shot?

0 Kudos
yd9038
Level 9

Re: Adding Siem datasource

Jump to solution

It is in your screenshot:

We may be more helpful if we see the packet (raw) data. If it is no longer in "Packet" tab, you can retrieve it from ELM through "ELM Archive" tab.

The device type you have appears to be a Fortinet Firewall. Device Type 355 is for "FortiGate UTM - Space Delimited (ASP)", I'd change the datasource type to that from Unix/Linux, so it will use the right parser rules:

0 Kudos
ecan007
Level 9

Re: Adding Siem datasource

Jump to solution

by the way, thx for your replies in your weekend

That was a good point, I totally ignored the signature id

the source system isnt a firewall (as far as I know, but will double check), the source ip and the destination IP

are in the same subnet, so there should be no firewall or even a nac in place.

The source ip is the datasource itself and the destination ip is the mcafee receiver.

I already checked the packet tab (didnt know what you meant in the first place) and changed some info:

<189>date=2016-10-09 time=22:17:01 devname="name of device" devid=FGT5HD3915800356 logid=0000000013 type=traffic subtype=forward level=notice vd="looks loke a domain info"  srcip=" datasource IP"  srcport=50935 srcintf="VLAN100-CORE" dstip="mcafee receiver:  dstport=514 dstintf="VLAN100-CORE" sessionid=215039833 proto=17 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SYSLOG" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high

I am not sure about this event.

Was this event send from the datasource and what is the "deny" action?

Was this event denied or is this information about the event itself?

0 Kudos
ecan007
Level 9

Re: Adding Siem datasource

Jump to solution

After a good look at the events, it seems this packet is not from the datasource, but from the fortinet firewall.

Have to talk to system engineers, why this is coming from a firewall, it looks like the firewall is blocking the events

but not sure 100% , because there shouldn't be a firewall between the devices

0 Kudos
yd9038
Level 9

Re: Adding Siem datasource

Jump to solution

The screenshot and the event packet you provided are from a Fortinet firewall.

It appears that the firewall is blocking traffic from the datasource over port 514 to the receiver.

The devices may be in a segmented environment. You will need to work with your firewall engineers to have them enable data flow between the datasource and the receiver.

0 Kudos
ecan007
Level 9

Re: Adding Siem datasource

Jump to solution

THx, I think you are right.

I should have read the log files completely.

Will contact the network admin about this.

0 Kudos