7 Replies Latest reply on Oct 10, 2016 2:53 AM by ecan007

    Adding Siem datasource

    ecan007

      I have added a Linux syslog datasource to the Siem.

      The syslog events will be forwarded to this datasource on poort 514 and I set the configuration:

       

      Data Source Screen Settings

      1. Data Source Vendor – Unix

      2. Data Source Model – Linux

      3. Data Format – Default

      4. Data Retrieval – Default

      5. Enabled: Parsing/Logging/SNMP Trap – <Defaults>

      6. Name – Name of data source

      7. IP Address/Hostname – The IP address and host name associated with the data source

      device.

      8. Syslog Relay – <Enable>

      9. Mask – <Default>

      10. Require Syslog TLS – Enable to require the Receiver to communicate over TLS.

      11. Support Generic Syslogs – <Default>

      12. Time Zone – Time zone of data being sent.

       

      I have even checked the iptables and the ipadres was listed to be allowed to receive messages from

      however I see the datasource still inactive and dont see any logs

      tcdump showed no packets coming in from the source and even after enabling logging on iptables , I didnt see anything from  the source IP.

      Not sure if iptable was logging correctly, but if I look on the source ip within SIem I do see some events:

       

       

       

      It seems we do get events in but its been rejected??

       

      How can I correct this?

        • 1. Re: Adding Siem datasource
          infoseced

          CLick on the packet Tab and let's see what the REC is parsing.

          • 2. Re: Adding Siem datasource
            ecan007

            Sorry, where is the packet tab?

            Maybe you have a screen shot?

            • 3. Re: Adding Siem datasource
              yd9038

              It is in your screenshot:

               

              We may be more helpful if we see the packet (raw) data. If it is no longer in "Packet" tab, you can retrieve it from ELM through "ELM Archive" tab.

               

              The device type you have appears to be a Fortinet Firewall. Device Type 355 is for "FortiGate UTM - Space Delimited (ASP)", I'd change the datasource type to that from Unix/Linux, so it will use the right parser rules:

              • 4. Re: Adding Siem datasource
                ecan007

                by the way, thx for your replies in your weekend

                 

                That was a good point, I totally ignored the signature id

                the source system isnt a firewall (as far as I know, but will double check), the source ip and the destination IP

                are in the same subnet, so there should be no firewall or even a nac in place.

                The source ip is the datasource itself and the destination ip is the mcafee receiver.

                I already checked the packet tab (didnt know what you meant in the first place) and changed some info:

                 

                 

                <189>date=2016-10-09 time=22:17:01 devname="name of device" devid=FGT5HD3915800356 logid=0000000013 type=traffic subtype=forward level=notice vd="looks loke a domain info"  srcip=" datasource IP"  srcport=50935 srcintf="VLAN100-CORE" dstip="mcafee receiver:  dstport=514 dstintf="VLAN100-CORE" sessionid=215039833 proto=17 action=deny policyid=0 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="SYSLOG" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high

                 

                I am not sure about this event.

                Was this event send from the datasource and what is the "deny" action?

                Was this event denied or is this information about the event itself?

                • 5. Re: Adding Siem datasource
                  ecan007

                  After a good look at the events, it seems this packet is not from the datasource, but from the fortinet firewall.

                  Have to talk to system engineers, why this is coming from a firewall, it looks like the firewall is blocking the events

                  but not sure 100% , because there shouldn't be a firewall between the devices

                  • 6. Re: Adding Siem datasource
                    yd9038

                    The screenshot and the event packet you provided are from a Fortinet firewall.

                     

                    It appears that the firewall is blocking traffic from the datasource over port 514 to the receiver.

                    The devices may be in a segmented environment. You will need to work with your firewall engineers to have them enable data flow between the datasource and the receiver.

                    • 7. Re: Adding Siem datasource
                      ecan007

                      THx, I think you are right.

                      I should have read the log files completely.

                      Will contact the network admin about this.