External Logging » History » Version 2
Luke Murphey, 04/03/2010 01:08 PM
1 | 1 | Luke Murphey | h1. Logging to a SEIM or Log Management System |
---|---|---|---|
2 | 1 | Luke Murphey | |
3 | 1 | Luke Murphey | NSIA can forward the logs to a SEIM (Security Event and Information Management) system such as ArcSight or to a log management such as Splunk. NSIA sends logs via the Syslog protocol and can therefore submit logs to nearly any device that accepts syslog messages. To set up logging, open the configuration page by clicking "Modify Configuration" in the web interface from the main dashboard. Look for the section titled "Logging Subsystem." The logging system has the following options: |
4 | 1 | Luke Murphey | |
5 | 1 | Luke Murphey | |
6 | 1 | Luke Murphey | |Option | Description | |
7 | 1 | Luke Murphey | |Log Format |Defines how the log messages are contructed (see below for details) | |
8 | 1 | Luke Murphey | |Syslog Server Address |The address to send the messages to | |
9 | 1 | Luke Murphey | |Syslog Log Port |The port to send the messages to | |
10 | 1 | Luke Murphey | |Logging Enabled |Enables or disables external logging | |
11 | 1 | Luke Murphey | |Transport Protocol |Determines if TCP or UDP is used | |
12 | 2 | Luke Murphey | |
13 | 2 | Luke Murphey | The log format option determines how the log messages are formatted. Below is a description of the three formats: |
14 | 2 | Luke Murphey | |
15 | 2 | Luke Murphey | |
16 | 2 | Luke Murphey | |Format |Description | |
17 | 2 | Luke Murphey | |Native |Format specific to NSIA; this is the most readable format in it's raw form |
18 | 2 | Luke Murphey | |CEE (Common Event Expression) |Splunk designed format (going to be a Mitre standard). This is the easiest of the three formats to parse | |
19 | 2 | Luke Murphey | |CEF (Common Event Format) |ArcSight's standarized format. | |
20 | 2 | Luke Murphey | |
21 | 2 | Luke Murphey | NSIA supports logging over both TCP and UDP. Technically, the syslog protocol only supports UDP, however, TCP is generally better if the log device accepts it since TCP ensures that dropped packets will be re-transmitted. Furthermore, NSIA will be able to detect when the TCP connection to log server fails and will cache the log messages until the server coems back online. NSIA will not cache messages when UDP is used because it cannot detect a failed connection (since UDP is connectionless). |
22 | 2 | Luke Murphey | |
23 | 2 | Luke Murphey | When TCP is used, NSIA will send each message in a separate TCP packet (just like UDP). Note that you may need to specify how the end of a message is detected in the log management device since the syslog specifications do not specify how to detect the end of a TCP syslog message (and not everybody does it the same way). If the device recieving the messages might corrupt the messages if it does not know how to parse each message. |
24 | 2 | Luke Murphey | |
25 | 2 | Luke Murphey | NSIA will cache the log messages if the TCP connection to the log server fails. All of the cached messages will be forwarded to the log server once it is available again. However, log messages will not be cached if UDP is used since NSIA cannot determine if the log server has accepted the messages. |