Page 2 of 4
Re: Can we export logs to SIEM System
Posted: Mon Jul 25, 2016 4:08 pm
by hsmith
I would love for NLS to break in to that market.
Re: Can we export logs to SIEM System
Posted: Mon Jul 25, 2016 4:38 pm
by eloyd
Dude, we're already doing it. Too bad about #nagioscon16, because I was going to put that into one of my talks.
Re: Can we export logs to SIEM System
Posted: Mon Jul 25, 2016 4:47 pm
by tmcdonald
Definitely upsetting, but I'd like to keep this on-topic and give the OP time to respond.
Re: Can we export logs to SIEM System
Posted: Tue Aug 23, 2016 2:08 pm
by sgiworks
Do we need to mention additional out location on each machines? or can we have the Nagios Log Server to forward/ ship already collected logs to Security Analytics Solution at remote location.
- Swapnil
Re: Can we export logs to SIEM System
Posted: Tue Aug 23, 2016 2:25 pm
by rkennedy
NLS should be able to forward them. Under Global Configuration, you should see a part for 'Show Outputs'. Click that, then configure an output accordingly. To look at what logstash supports, see this page -
https://www.elastic.co/guide/en/logstas ... ugins.html
An example, for TCP output would be -
Code: Select all
tcp {
host => '192.168.5.5'
port => '5555'
}
Re: Can we export logs to SIEM System
Posted: Fri Aug 26, 2016 8:35 am
by sgiworks
Thank you, let me try and I'll get back to you if there are any further questions.
Re: Can we export logs to SIEM System
Posted: Fri Aug 26, 2016 9:07 am
by sgiworks
Created a CSV output using following script, however when click on save the additional output disappears. Again I clicked on Show Output and I see it there is inactive mode, where as it doesn't allow me to make it active.
csv {
fields => ...
path => ...
}
Re: Can we export logs to SIEM System
Posted: Fri Aug 26, 2016 10:34 am
by rkennedy
You'll want to install the
logstash-output-csv. It isn't included with NLS by default.
Code: Select all
/usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv
Then, set up your CSV output similar to this -
Code: Select all
csv {
fields => ['host', 'message']
path => '/tmp/test.csv'
}
Make sure the file is writable by the nagios user and you should see the file begin to populate.
Code: Select all
[root@localhost tmp]# ls -al test.csv
-rwxrwxrwx 1 nagios nagios 26894 Aug 26 11:33 test.csv
[root@localhost tmp]# tail test.csv
127.0.0.1," apache : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status
"
127.0.0.1," apache : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status
"
127.0.0.1," nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/elasticsearch status
"
127.0.0.1," nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status
"
127.0.0.1," nagios : TTY=unknown ; PWD=/var/www/html/nagioslogserver/www ; USER=root ; COMMAND=/etc/init.d/logstash status
"
[root@localhost tmp]#
Re: Can we export logs to SIEM System
Posted: Mon Aug 29, 2016 9:37 am
by sgiworks
[root@ip-10-2-4-222 ec2-user]# /usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv
Can only install contrib at this time... Exiting.
Re: Can we export logs to SIEM System
Posted: Mon Aug 29, 2016 11:35 am
by mcapra
What version of NLS is this instance running? We may need to find/build an older spec file for this plugin.