[rsyslog-notify] Forum Thread: Re: [PARSING] Rsyslog parsing for SIEM - (Mode 'reply')

[noreply at adiscon.com]

User: dlang 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26354#p26354

Message: 
----------
there are several things.

1. how to get the log into rsyslog

2. what parsing of the log can rsyslog do to extract meaning from the log.

3. what format does your SIEM accept (including what metadata it looks at)

4. and finally what needs to be done to get from #2 to #3


so, to address your needs.

If you can't get the thing that's generating the logs to deliver them
directly to rsyslog, then you have to fall back to writing a file and
having rsyslog periodically scrape it. This uses imfile <!-- m --><a
class="postlink"
href="http://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html">http://www.rsyslog.com/doc/v8-stable/co
... mfile.html</a><!-- m -->

This gets the log into rsyslog, but without doing any parsing of the log to
extract useful data. Depending on the format of the log, this may be
acceptable, or you may be able to use mmjsonparse or mmnormalize to extract
more data from the log (like if there is a timestamp or something like
that)

Then we need to find out what your SIEM wants in the logs going to it. Some
accept standard syslog messages and you don't have to do anything other
than forward to them. Some ignore the hostname and look at the IP address
that forwarded the message to it, those you man need to use omudpspoof to
get logs to it. In some cases you will want to make use of data that you
extract from the log file when sending to the SIEM (to set hostname,
programname, timestamp, etc), and for those cases, you will want to first
parse the message, and then create a custom template to deliver the
messages in the preferred format.

So, starting off. What do the logs look like in the /var/log/my_log.log
file? And what do you know about how your SIEM accepts messages?