Guides
Start typing to search…

SIEM Collector

Syslog Integration Guide

Guide for forwarding system and application logs to the CyberOptix SIEM collector using rsyslog with TLS encryption.

Overview

This guide demonstrates how to configure rsyslog to forward logs from various sources to the CyberOptix SIEM collector using TLS-encrypted connections and CEF (Common Event Format).

Prerequisites

  • Ubuntu Server with rsyslog installed
  • Network connectivity to CyberOptix SIEM collector
  • SIEM collector hostname and port (provided by CyberOptix)

Part 1: Install Required Packages

Install rsyslog with TLS support:

sudo apt install rsyslog rsyslog-gnutls -y

Part 2: Configure System Log Forwarding

Step 1: Create Rsyslog Configuration

Create a new configuration file for system logs:

sudo nano /etc/rsyslog.d/server-logs-2-remote-tls.conf

Step 2: Add Configuration

Paste the following configuration (replace syslog-collector.example.com with your SIEM collector hostname):

template(name="CEFFormat"
    type="string"
    string="CEF:0|-|%programname%|-|%syslogfacility-text%|%syslogtag%|%syslogseverity-text%|%rawmsg%"
)

*.* action(
    type="omfwd"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog-collector.example.com"
    template="CEFFormat"
    queue.type="linkedList"
    target="syslog-collector.example.com"
    port="8888"
    protocol="tcp"
)

Step 3: Restart Rsyslog

sudo systemctl restart rsyslog
sudo systemctl status rsyslog

Part 3: Configure Apache Log Forwarding

Step 1: Update Apache Configuration

Edit your Apache configuration file (e.g., /etc/apache2/apache2.conf or virtual host file):

sudo nano /etc/apache2/apache2.conf

Step 2: Add CEF Log Formats

Add the following log format definitions (Apache Log Format Documentation):

LogFormat "CEF:0|Apache Software Foundation|Apache|2.4|HTTPAccess|Access Log|5|client_ip=%a src=%h dst=%v request=\"%r\" query_string=\"%q\" method=%m response=%>s referer=\"%{Referer}i\" user_agent=\"%{User-agent}i\"" cef

ErrorLogFormat "CEF:0|Apache Software Foundation|Apache|2.4|%E|Error Log|5|msg=\"%M\" src=%a log_level=%l request_id=%{UNIQUE_ID}e"

CustomLog "|/usr/bin/logger -t apache-cef -p local6.info" cef
ErrorLog "|/usr/bin/logger -t apache-error -p local6.err"

Step 3: Create Rsyslog Configuration

Create a configuration file for Apache logs:

sudo nano /etc/rsyslog.d/apache-logs-2-remote-tls.conf

Paste the following configuration:

if ($syslogfacility-text == 'local6') then {
    action(
        type="omfwd"
        StreamDriver="gtls"
        StreamDriverMode="1"
        StreamDriverAuthMode="x509/name"
        StreamDriverPermittedPeers="syslog-collector.example.com"
        queue.type="linkedList"
        target="syslog-collector.example.com"
        port="8888"
        protocol="tcp"
    )
}

Step 4: Restart Services

sudo systemctl restart rsyslog
sudo systemctl restart apache2

Part 4: Configure NGINX Log Forwarding

Step 1: Update NGINX Configuration

Edit your NGINX configuration file (e.g., /etc/nginx/nginx.conf or /etc/nginx/conf.d/default.conf):

sudo nano /etc/nginx/nginx.conf

Step 2: Add CEF Log Format

Add the following log format definition in the http block:

log_format cef 'CEF:0|F5|NGINX|1.0|HTTPAccess|Access Log|5|'
               'src=$remote_addr dst=$server_name request="$request" '
               'query_string=$query_string method=$request_method '
               'response=$status referer=$http_referer user_agent=$http_user_agent';

access_log syslog:server=127.0.0.1:514,facility=local6,tag=nginx,severity=info cef;
error_log syslog:server=127.0.0.1:514,facility=local6,tag=nginx_error,severity=error;

Step 3: Create Rsyslog Configuration

Create a configuration file for NGINX logs:

sudo nano /etc/rsyslog.d/nginx-logs-2-remote-tls.conf

Paste the following configuration:

if ($syslogfacility-text == 'local6') then {
    action(
        type="omfwd"
        StreamDriver="gtls"
        StreamDriverMode="1"
        StreamDriverAuthMode="x509/name"
        StreamDriverPermittedPeers="syslog-collector.example.com"
        queue.type="linkedList"
        target="syslog-collector.example.com"
        port="8888"
        protocol="tcp"
    )
}

Step 4: Restart Services

sudo systemctl restart rsyslog
sudo systemctl restart nginx

Configuration Parameters

Required Values

ParameterDescriptionExample
StreamDriverPermittedPeersSIEM collector hostnamesyslog-collector.cyberoptix.io
targetSIEM collector hostnamesyslog-collector.cyberoptix.io
portSIEM collector port8888

Replace syslog-collector.example.com with your actual CyberOptix SIEM collector hostname in all configuration files.

TLS Configuration Details

SettingValuePurpose
StreamDrivergtlsUse GnuTLS for encryption
StreamDriverMode1Enable TLS
StreamDriverAuthModex509/nameVerify server certificate
protocoltcpUse TCP transport

Verification

Check Rsyslog Status

sudo systemctl status rsyslog

View Rsyslog Logs

sudo journalctl -u rsyslog -f

Test Log Generation

Generate test log entries:

# Test system log
logger -t test-app "Test message to SIEM"

# Test Apache (make HTTP request)
curl http://localhost

# Test NGINX (make HTTP request)
curl http://localhost

Log Format Overview

All logs are formatted using CEF (Common Event Format) for standardized ingestion:

CEF Format Structure:

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Example System Log:

CEF:0|-|sshd|-|auth|sshd[12345]|notice|Accepted publickey for user from 192.168.1.100

Example Apache Access Log:

CEF:0|Apache Software Foundation|Apache|2.4|HTTPAccess|Access Log|5|client_ip=192.168.1.100 src=192.168.1.100 dst=www.example.com request="GET /index.html HTTP/1.1" method=GET response=200

Additional Resources

Updated 9 days ago