Project

General

Profile

Suricata with ELSA Enterprise logging set up guide » Stand-alone-syslog-ng.conf

Peter Manev, 10/01/2012 06:46 AM

 
@version: 3.2

source s_network {
tcp();
udp();
};

parser p_db {
db-parser(file("/opt/elsa/node/conf/patterndb.xml"));
};

filter f_rewrite_cisco_program { match('^(%[A-Z]+\-\d\-[0-9A-Z]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
filter f_rewrite_cisco_program_2 { match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?: [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches" "nobackref")); };
#filter f_local7 { facility(local7); };

### added
source s_suricata { unix-dgram("/dev/log"); internal();
file("/proc/kmsg" program_override("kernel")); };

rewrite r_cisco_program {
set("$1", value("PROGRAM") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
set("$2", value("MESSAGE") condition(filter(f_rewrite_cisco_program) or filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)));
};

rewrite r_snare { subst("MSWinEventLog.+(Security|Application|System).+", "$1", value("PROGRAM") flags(global)); };
rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
rewrite r_host { set("$SOURCEIP", value("HOST")); };
rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST") condition("$pdb_extracted_sourceip" != "")); };

template t_db_parsed { template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n"); };

source s_bro_conn { file("/nsm/bro/logs/current/conn.log" flags(no-parse) program_override("bro_conn")); };
source s_bro_http {
file("/nsm/bro/logs/current/http.log" flags(no-parse) program_override("bro_http"));
};
source s_bro_dns { file("/nsm/bro/logs/current/dns.log" flags(no-parse) program_override("bro_dns")); };
source s_bro_notice { file("/nsm/bro/logs/current/notice.log" flags(no-parse) program_override("bro_notice")); };
source s_bro_smtp { file("/nsm/bro/logs/current/smtp.log" flags(no-parse) program_override("bro_smtp")); };
source s_bro_smtp_entities { file("/nsm/bro/logs/current/smtp_entities.log" flags(no-parse) program_override("bro_smtp_entities")); };
source s_bro_ssl { file("/nsm/bro/logs/current/ssl.log" flags(no-parse) program_override("bro_ssl")); };
source s_ossec { file("/var/ossec/logs/archives/archives.log" program_override('ossec_archive') follow_freq(1) flags(no-parse)); };
destination d_elsa { program("perl /opt/elsa/node/elsa.pl -c /etc/elsa_node.conf" template(t_db_parsed)); };

log {
source(s_suricata); #filter (f_local7);
source(s_bro_conn);
source(s_bro_http);
source(s_bro_dns);
source(s_bro_notice);
source(s_bro_smtp);
source(s_bro_smtp_entities);
source(s_bro_ssl);
source(s_ossec);
source(s_network);
rewrite(r_host);
rewrite(r_cisco_program);
rewrite(r_snare);
rewrite(r_pipes);
parser(p_db);
rewrite(r_extracted_host);
destination(d_elsa);
};
(3-3/3)