Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 4560 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

siem script doesn't send syslog messages to remote address

ITSO ITSO

Hi,

Has anyone integrated sophos central with siem recently via syslog? I've been running the script on Ubuntu and I can see events are being populated in result.txt but I don't see them in SIEM. I am %100 sure there is connectivity between siem and Ubuntu since I've sent test messages and they were received by SIEM. Can anyone comment please? Sophos support is directing me to get professional services for this and I don't think it is that hard to configure this.

 

# format can be json, cef or keyvalue
format = cef

# filename can be syslog, stdout, any custom filename
filename = result.txt

# endpoint can be event, alert or all
endpoint = all

# syslog properties
# for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
# for linux local systems use /dev/log
# for MAC OSX use /var/run/syslog
address = siem_IP:514
facility = daemon
socktype = udp



This thread was automatically locked due to age.
Parents
  • 0

    I also ran into this issue. You need to change the filename parameter to 'syslog'. The config being named filename isn't very intuitive and a bit confusing since if you set it to the value 'syslog' it doesn't output to a file at all but instead uses the syslog related configs below and sends the events/alerts there.

    You would want this as your config:

     

    # format can be json, cef or keyvalue
    format = cef

    # filename can be syslog, stdout, any custom filename
    filename = syslog

    # endpoint can be event, alert or all
    endpoint = all

    # syslog properties
    # for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
    # for linux local systems use /dev/log
    # for MAC OSX use /var/run/syslog
    address = siem_IP:514
    facility = daemon
    socktype = udp

     

     

Reply
  • 0

    I also ran into this issue. You need to change the filename parameter to 'syslog'. The config being named filename isn't very intuitive and a bit confusing since if you set it to the value 'syslog' it doesn't output to a file at all but instead uses the syslog related configs below and sends the events/alerts there.

    You would want this as your config:

     

    # format can be json, cef or keyvalue
    format = cef

    # filename can be syslog, stdout, any custom filename
    filename = syslog

    # endpoint can be event, alert or all
    endpoint = all

    # syslog properties
    # for remote address use <remoteServerIp>:<port>, for e.g. 192.1.2.3:514
    # for linux local systems use /dev/log
    # for MAC OSX use /var/run/syslog
    address = siem_IP:514
    facility = daemon
    socktype = udp

     

     

Children
No Data
Unfiltered HTML