-
Title
How ArcSight SIEM can parse Windows events forwarded by syslog-ng or SSB? -
Description
A guide on how to have ArcSight SIEM parse Windows events forwarded by syslog-ng or SSB. -
Resolution
Forwarding Windows events from syslog-ng or SSB to an Arcsight SIEM requires some preparation on both side.
Since the ArcSight's syslog-ng collector supports the SNARE log format out-of-the box, it is the easiest way to use this format on the syslog-ng agent side as well.
Based on the requirements, if there's an SSB/syslog-ng PE in the forwarding chain then you should use the 'legacy' format to keep the template untouched.
You should configure to following parameters at Arcsight's syslog collector:
- agent.properties:
original settings:
agents[0].syslogng.subagents.with.ietf=generic_syslogmodified settings:
agents[0].syslogng.subagents.with.ietf=snare_syslog|generic_syslog
- syslog.properties:
syslog.subagentdef=:snare_syslog|generic_syslog
SCENARIO #1
SYSLOG-NG AGENT (SNARE) -> SSB/SYSLOG-NG PE SERVER (LEGACY SYSLOG)->
ARCSIGHT CONNECTOR
Configure the Agent with Snare protocol mode, set forwarding to a syslog-ng server and on the syslog-ng server use a tcp() destination without any template changes.
SCENARIO #2
SYSLOG-NG AGENT (IETF SYSLOG) -> SSB/SYSLOG-NG PE SERVER (LEGACY
SYSLOG + SNARE TEMPLATE) -> ARCSIGHT CONNECTOR
In this case the Agent forwards multi-line messages together with SDATA fields so the syslog-ng PE server has the chance to create a Snare format template during forwarding. The syslog-ng tcp() template should look like this:
destination d_arcsight {
tcp ("192.168.56.6" port("515")
template("${BSDDATE}
${HOST}\tMSWinEventLog\t1\t${.SDATA.win@18372.4.EVENT_NAME}\t${EVENT_GLOBAL_COUNTER}\t${WEEKDAY}
${MONTHNAME} ${DAY} ${HOUR}:${MIN}:${SEC}
${YEAR}\t${.SDATA.win@18372.4.EVENT_ID}\t${.SDATA.win@18372.4.EVENT_SOURCE}\t${.SDATA.win@18372.4.EVENT_USERNAME}\t${.SDATA.win@18372.4.EVENT_SID_TYPE}\t${.SDATA.win@18372.4.EVENT_TYPE}\t${.SDATA.win@18372.4.EVENT_HOST}\t${.SDATA.win@18372.4.EVENT_CATEGORY}\t${.SDATA.win@18372.4.EVENT_DATA}\t${.SDATA.win@18372.4.EVENT_MESSAGE}\t${.SDATA.win@18372.4.EVENT_CONTAINER_COUNTER}\n")
flags(no-multi-line));
};
FIXME - not a bullet-proof solution as some fields are missing, the Agent doesn't include all Snare-related SDATA fieds in syslog mode (eg. EVENT_SID_TYPE, EVENT_MESSAGE, etc), question is: is it enough for Arcsight?
SCENARIO #3
SYSLOG-NG PE (LEGACY SYSLOG + SNARE TEMPLATE) -> SSB/syslog-ng PE
server (legacy syslog) -> Arcsight connector
You can deploy syslog-ng PE on the client side and can use all
Snare-related fields and can use template("$(format-snare)") to create
Snare compatible messages.
destination d_syslogng {
tcp ("192.168.56.5" port("513")
template("$(format-snare)")
flags(no-multi-line));
};
Note, template("$(format-snare)") is an undocumented and unsupported template function!
On the syslog-ng server use a tcp() desination without any template changes.