Are there any logs on the SIEM that I can use to detect new logs sources trying to talk to it? I think since the underlying OS uses IPtables, perhaps a firewall hit on UDP/TCP 514 from an unknown source? Any help would be awesome.
Hi scott3boy. You might be looking for the auto-learn feature in the receiver. Select a receiver, then properties. Choose Data Sources from the left side. At the bottom you'll click on Auto Learn.
By default the receiver firewall will drop any traffic from unconfigured sources. It took me a minute to understand why: you don't want an attacker DOSing your audit log system with spurious traffic (make 'em work for it). The Auto Learn capability disables the filtering for a period so the receiver can see what's TRYING to send data to it.
For example, if you want to see what sources are sending syslog, choose an interval in hours, and click Enable next to syslog. For the next N hours, the receiver will build a list of syslog source IPs. When it finishes (or you click Disable) there will be a list of syslog sources it saw during that time. Hopefully most of these are already configured, but you'll see any new ones as well. If you don't, the source may not have sent any data during the time Auto Learn was running.
Now you can select a source and click Add to add it to the receiver.
If you have a LOT of new sources, the receiver can add them all for you automatically. That's what the Configure button is for. After clicking Configure you'll see a list of Auto Create rules. You can edit the rules to do what you want when adding (I've noticed some settings require a manual visit to the data source config). Enable the rules and click Run Now to apply the rules to the sources already in the Auto Learn list. If you configure and enable the rules BEFORE you enable Auto Learn, it will do it all in one step. It appears to NOT re-add sources already there (based on source IP conflict).
Hope that helps.
Thank you for your recommendation, but ya I was aware of that option. Honestly I am looking from something more automated. I want the SIEM to send an alarm when new log source attempts to connect over 514... seems pretty trivial, but it would be extremely helpful in my environment where we have people slinging new logs sources at the device all the time. I think even a daily report would be nice. I have never been a fan of the Auto learn function, and even support seems to frown on using it too much. I would have to enable at least once a day and hope that the log source is active during that window too. You would assume that the "drop" event from the receiver firewall could be the trigger (that is if it logged to the SIEM).
Thanks again for the recommendation though.
Did you find a way to manage this? I am looking for the same option.
Our IT team are not managing the SIEM. When they add a new server, they should configure it to send events to the SIEM and alert us to add the data-source. But it happens they forgot to tell us... So if we could have a report / dashbord / something to track it directly in the SIEM, it would be great.
It seems a so obvious feature, I can't understand why it is not here...