Forward or export data from NLS to another source

[dworthcsl]

Hi,

We have an internal initiative to send logs to an outside source that is using IBM SIEM. I have been asked if it is possible to to forward logs from NLS as it comes in and send it to an external source. Is this something that I can do with NLS? If not, is there a way to export log data and send it to another source?

Let me know if you need more information.

Thanks,
David

[rkennedy]

Yes, you should be to using the output part in NLS. To point you in the right direction, what kind of inputs the IBM SIEM supports?

[dworthcsl]

I am still trying to get that information as to the format for SIEM.

How or where do I manage the output in NLS?

Thanks,

[rkennedy]

Got it. let us know once you find out from them.

It's Administration -> Global Configuration (or per instance) -> Show Outputs -> Add Output

[dworthcsl]

Thanks, found it. Do you have any documentation or examples that I can look at or use to build a rule? I am new to NLS/ELK.

[dworthcsl]

This is what I got back from the people that manage SIEM.

Code: Select all

There are literally hundreds of protocols accepted by QRadar, I’ve pulled out the few that we use most often.
 
QRadar will accept LEEF or CEF formatted logs using the syslog, TLS syslog, or log file protocols. When we’re using the log file   protocol we can pick the files up from an FTP, SFTP, SCP, or AWS location.
 
We can also accept any format of log using general syslog, or collect any format of log from a log file via FTP, SFTP, SCP, AWS.
 
Ideally we would receive the logs via syslog (tcp). If the above options don’t work, we can work with the following protocols of log transfer. If the logs can’t be provided in syslog or log file format, we’ll need to get involved in a conversation about configuring one of these options.
 
JDBC (from a table or a view)
SMB Tail
SNMP v1-3
Syslog Redirect
TCP Multiline Syslog
TLS Syslog
UDP Multiline Syslog
MS Event Log
MS Event Log over MSRPC
 

let me know if you need me to get more info from them.

Thanks,
David

[rkennedy]

Thanks for getting the information from them.

You should be able to add this as an output to NLS -

Code: Select all

tcp {
    host => '192.168.3.190'
    port => '19999'
}

This will send JSON output VIA TCP to 192.168.3.190, using port 19999. (adjust to your needs) You could always change the CODEC to something other than JSON, depending on what they'd like.

A couple links for your reference are -
https://www.elastic.co/guide/en/logstas ... s-tcp.html (output for TCP via logstash)
https://www.elastic.co/guide/en/logstas ... ugins.html (available output types)

[dworthcsl]

Cool, thanks. Will that forward all data coming in to another source? Also, what if we wanted to limit it to specific query?

Thanks,

[hsmith]

You can do it to a type of traffic(type => syslog for instance), but not to a specific query. In your scenario, I would probably just have the device you're logging traffic from directly send to your IBM device.

[dworthcsl]

We got things working with tcp. They are looking to see if that will work for them. I did try to use syslog as the output. I ran the following on each server to install the plugin

Code: Select all

./plugin install logstash-output-syslog
Validating logstash-output-syslog
Installing logstash-output-syslog
Installation successful

However, the verify failed. I was also sure about how to write the rule. The tcp was straight forward, but for syslog, there was more too it. I am guessing I should have added a syslog block under tcp.

e.g.

Code: Select all

tcp {
    host => ...
    port => ...
}
syslog {
    facility => ...
    host => ...
    port => ...
    severity => ...
}

or should I replace tcp with syslog. So the output would look like this.

Code: Select all

syslog {
    facility => ...
    host => ...
    port => ...
    severity => ...
}

As you can tell, this is all new to me. I am looking through the links that you sent, but is there a good primer to get me going? If I can get a good explanation on writing inputs, outputs, and filters, that would be a huge help.

To your last comments, where would the traffic( type => syslog, go? We also want to avoid sending data from all servers to nagios and Siem.

Thanks,