ThreatFactor NSIA

h1. Logging to a SEIM or Log Management System

NSIA can forward the logs to a SEIM (Security Event and Information Management) system such as ArcSight or to a log management such as Splunk. NSIA sends logs via the Syslog protocol and can therefore submit logs to nearly any device that accepts syslog messages. To set up logging, open the configuration page by clicking "Modify Configuration" in the web interface from the main dashboard. Look for the section titled "Logging Subsystem." The logging system has the following options:

|Option                | Description                                                          |

|Log Format            |Defines how the log messages are contructed (see below for details)   |

|Syslog Server Address |The address to send the messages to                                   |

|Syslog Log Port       |The port to send the messages to                                      |

|Logging Enabled       |Enables or disables external logging                                  |

|Transport Protocol    |Determines if TCP or UDP is used                                      |

The log format option determines how the log messages are formatted. Below is a description of the three formats:

|Format                        |Description |

|Native                        |Format specific to NSIA; this is the most readable format in it's raw form

|CEE (Common Event Expression) |Splunk designed format (going to be a Mitre standard). This is the easiest of the three formats to parse |

|CEF (Common Event Format)     |ArcSight's standarized format. |

NSIA supports logging over both TCP and UDP. Technically, the syslog protocol only supports UDP, however, TCP is generally better if the log device accepts it since TCP ensures that dropped packets will be re-transmitted. Furthermore, NSIA will be able to detect when the TCP connection to log server fails and will cache the log messages until the server coems back online. NSIA will not cache messages when UDP is used because it cannot detect a failed connection (since UDP is connectionless).

When TCP is used, NSIA will send each message in a separate TCP packet (just like UDP). Note that you may need to specify how the end of a message is detected in the log management device since the syslog specifications do not specify how to detect the end of a TCP syslog message (and not everybody does it the same way). If the device recieving the messages might corrupt the messages if it does not know how to parse each message.

NSIA will cache the log messages if the TCP connection to the log server fails. All of the cached messages will be forwarded to the log server once it is available again. However, log messages will not be cached if UDP is used since NSIA cannot determine if the log server has accepted the messages.