Can we export logs to SIEM System
Re: Can we export logs to SIEM System
That's a bit out of scope for this forum. If you need assistance writing code I would have to ask you to speak to one of the developers on your team. We can help with getting things into Nagios, but writing custom code for a remote system is out of scope.
Former Nagios employee
Re: Can we export logs to SIEM System
Wouldn't you support in installing a plugin in Nagios Log Server from the website that you provided?
Re: Can we export logs to SIEM System
I don't work for Nagios, but I'm sure the answer is something like "Nagios supports Nagios software. You're asking for assistance installing a logstash output filter that is not part of the software included with Nagios Log Server. Therefore, it is not supported by Nagios."
In other words, just because they are using logstash under the hood does not mean that Nagios Enterprises can support everything that can be done with logstash.
In other words, just because they are using logstash under the hood does not mean that Nagios Enterprises can support everything that can be done with logstash.
Eric Loyd • http://everwatch.global • 844.240.EVER • @EricLoyd
I'm a Nagios Fanatic! • Join our public Nagios Discord Server!
Re: Can we export logs to SIEM System
Actually my answer was in response to a request for assistance to help "write a code", which would be out of scope. Might have been a misunderstanding on my part - I thought he wanted us to write new software or modify existing software.eloyd wrote:I don't work for Nagios, but I'm sure the answer is something like "Nagios supports Nagios software. You're asking for assistance installing a logstash output filter that is not part of the software included with Nagios Log Server. Therefore, it is not supported by Nagios."
In other words, just because they are using logstash under the hood does not mean that Nagios Enterprises can support everything that can be done with logstash.
This would just be a simple output filter most likely, not a whole plugin. The difference being that plugins are generally written by Logstash devs to handle a certain type of input or codec, whereas filters tend to be written by end users to manipulate data once it is in the system already.sgiworks wrote:Wouldn't you support in installing a plugin in Nagios Log Server from the website that you provided?
Probably we would be looking at configuring this plugin, by means of writing a filter it can run:
https://www.elastic.co/guide/en/logstas ... -http.html
So we would need to know what sort of API this HTTP endpoint is using so we know how to format the output.
I'll also point out that we cannot guarantee that a given plugin/version will work since they were not written by us, but we will do what we can.
Former Nagios employee
Re: Can we export logs to SIEM System
I just tested the basic functionality, and it appears to be working at that level.
I then added an output:
Taking a look at the access_log on my XI machine:
I can see it's successfully posting, I didn't configure it with any data, but it should work at this point if I was to. A guide that may help you is this one - http://blog.eagerelk.com/how-to-configu ... sh-output/
Code: Select all
[root@localhost nagioslogserver]# logstash/bin/plugin install logstash-output-http
Validating logstash-output-http
Installing logstash-output-http
Installation successful
Code: Select all
http {
url => "http://192.168.3.115"
http_method => "post"
}
Code: Select all
::1 - - [07/Sep/2016:11:13:22 -0400] "POST /nagiosxi/backend/ HTTP/1.1" 200 808 "-" "BinGet/1.00.A (http://www.bin-co.com/php/scripts/load/)"
::1 - - [07/Sep/2016:11:13:42 -0400] "POST /nagiosxi/backend/ HTTP/1.1" 200 808 "-" "BinGet/1.00.A (http://www.bin-co.com/php/scripts/load/)"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST HTTP/1.1" 400 313 "-" "-"
192.168.47.1 - - [07/Sep/2016:11:13:50 -0400] "POST HTTP/1.1" 400 313 "-" "-"
Former Nagios Employee
Re: Can we export logs to SIEM System
Hi again,
I have installed logstash-output-csv plugin on a new Log Server, and trying to configure dashboard results as output. Can you help me with the script 'Windows Failed Logons' dashboard results here.
[root@IWKSEASPAINLS01 bin]# /usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv
Validating logstash-output-csv
Installing logstash-output-csv
Installation successful
Example:
csv {
fields => ['host', 'message']
path => '/tmp/test.csv'
}
I have installed logstash-output-csv plugin on a new Log Server, and trying to configure dashboard results as output. Can you help me with the script 'Windows Failed Logons' dashboard results here.
[root@IWKSEASPAINLS01 bin]# /usr/local/nagioslogserver/logstash/bin/plugin install logstash-output-csv
Validating logstash-output-csv
Installing logstash-output-csv
Installation successful
Example:
csv {
fields => ['host', 'message']
path => '/tmp/test.csv'
}
Re: Can we export logs to SIEM System
That is not how the logstash-output-csv plugin works. This plugin takes events that are in the Logstash pipeline, and writes them out to CSV. It can't work with results that are currently stored in Elasticsearch.
As mentioned in the other thread, if you can navigate Elasticsearch queries well enough, this application might be of use:
https://github.com/mcapra/nagios-nlsexport
As mentioned in the other thread, if you can navigate Elasticsearch queries well enough, this application might be of use:
https://github.com/mcapra/nagios-nlsexport
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: Can we export logs to SIEM System
Did mcapra's post help you?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.