Can we export logs to SIEM System

hsmith · Post by **hsmith** » Mon Jul 25, 2016 4:08 pm

I would love for NLS to break in to that market.

Post by **eloyd** » Mon Jul 25, 2016 4:38 pm

Dude, we're already doing it. Too bad about #nagioscon16, because I was going to put that into one of my talks.

tmcdonald · Post by **tmcdonald** » Mon Jul 25, 2016 4:47 pm

Definitely upsetting, but I'd like to keep this on-topic and give the OP time to respond.

sgiworks · Post by **sgiworks** » Tue Aug 23, 2016 2:08 pm

Do we need to mention additional out location on each machines? or can we have the Nagios Log Server to forward/ ship already collected logs to Security Analytics Solution at remote location.

- Swapnil

rkennedy · Post by **rkennedy** » Tue Aug 23, 2016 2:25 pm

NLS should be able to forward them. Under Global Configuration, you should see a part for 'Show Outputs'. Click that, then configure an output accordingly. To look at what logstash supports, see this page - https://www.elastic.co/guide/en/logstas ... ugins.html

An example, for TCP output would be -

Code: Select all

tcp {
    host => '192.168.5.5'
    port => '5555'
}

sgiworks · Post by **sgiworks** » Fri Aug 26, 2016 8:35 am

Thank you, let me try and I'll get back to you if there are any further questions.

sgiworks · Post by **sgiworks** » Fri Aug 26, 2016 9:07 am

Created a CSV output using following script, however when click on save the additional output disappears. Again I clicked on Show Output and I see it there is inactive mode, where as it doesn't allow me to make it active.

csv {
fields => ...
path => ...
}

rkennedy · Post by **rkennedy** » Fri Aug 26, 2016 10:34 am

You'll want to install the logstash-output-csv. It isn't included with NLS by default.

Code: Select all

/usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv

Then, set up your CSV output similar to this -

Code: Select all

csv {
fields => ['host', 'message']
path => '/tmp/test.csv'
}

Make sure the file is writable by the nagios user and you should see the file begin to populate.

Code: Select all

[root@localhost tmp]# ls -al test.csv
-rwxrwxrwx 1 nagios nagios 26894 Aug 26 11:33 test.csv
[root@localhost tmp]# tail test.csv
127.0.0.1,"  apache : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status
"
127.0.0.1,"  apache : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status
"
127.0.0.1,"  nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status
"
127.0.0.1,"  nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status
"
127.0.0.1,"  nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status
"
[root@localhost tmp]#

sgiworks · Post by **sgiworks** » Mon Aug 29, 2016 9:37 am

[root@ip-10-2-4-222 ec2-user]# /usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv
Can only install contrib at this time... Exiting.

Post by **mcapra** » Mon Aug 29, 2016 11:35 am

What version of NLS is this instance running? We may need to find/build an older spec file for this plugin.

Nagios Support Forum

Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System

Re: Can we export logs to SIEM System