Gathering Data from Third-Party IT Systems

This article provides links to third-parties for device setup as well as DefenseStorm specific instructions to ensure data is gathered. 

CarbonBlack Defense

WhatAnti-virus
Referencehttps://github.com/DefenseStorm/cbdefenseEventLogs

Checkpoint

WhatFirewall Logs
Howvia Syslog
Referencesk87560.pdf
NotesSee referenced PDF.  Specific configurations, modules, and/or hotfixes may be required to export firewall logs directly from a Secure Gateway.


Cisco

Meraki 

WhatLog/Event data from from MX Security Appliances, MR Access Points, and MS switches
Howvia Syslog
ReferenceLink to third party instructions
NotesDirect the syslog data to the DVM port 516

Miscellaneous Cisco Routers & Switches

Reference
Notes

Required for timestamps to be correct. Products using this configuration:

  • Cisco 2901 Routers
  • Cisco 2921 Router
  • Cisco 2960 switches
  • Cisco 2504 Wireless Controller
  • Cisco 3560
  • Cisco 4331 ISR
  • Cisco 4451
  • Cisco 5515

Configuration Commands:

  • clock timezone EDT -4 0
  • clock summer-time EST recurring
  • service timestamps log datetime localtime
  • logging host <IP of DVM> transport tcp port 514
  • logging source-interface <INTERFACE NAME>

  • Use NTP server from NIST 
  • If no data, try UDP 516

  • Get NTP config
  • show ntp config

ASA's: 

  • logging host <IP of DVM> interface_name <INTERFACE NAME> 
  • logging trap informational

  • #enable logging of enable command and additional 
  • logging userinfo

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html


Command Logging:

  • archive
  • log config
  • logging enable
  • notify syslog
  • hidekeys


Cisco Nexus

WhatSwitch and Router events/logging
Howvia Syslog
ReferenceLink to third party instructions
Notes

First figure out which VRF to use:

  • ping <DVM> vrf management

If works, use the management VRF, if not, you need to determine which VRF to use:

  • show vrf

Configure the Logging

  • logging server <DVM> 6 use-vrf default
  • logging module 6
  • Logging monitor 6
  • logging level all 6
  • copy run start

NOTE: If you want to change logging, set to "no" then enable again otherwise the change may not take affect.


Cisco Nexus Router

WhatCisco Nexus Routers
NotesNTP Configuraiton:

ntp server <NTPIP> prefer

show ntp peers

show ntp peer-status


Check the Time:

sh clock


Lookup VRF:

sh vrf interface


Enable Syslog Logging:

logging server <DVM> 6 use-vrf <VRFINTERFACE?


Set Module Severity Level:

logging level all 6


 If not working before you add vrf, do a “no” to remove the command and put in the whole new command

Cisco Call Manager

WhatCall Detail Records and logs/events
Howvia syslog
Referencehttp://www.cisco.com/c/en/us/support/docs/voice/h323/14068-cdr-logging.html
Notes

The configuration needs to be completed on the router that is configured with the PRIs.

Ensure timestamps are included in logging messages.

Example Configuration:

  • service timestamps log datetime msec localtime
  • logging 10.64.6.250


Cisco Wireless LAN Controllers

WhatAccess point management 
Referencehttps://www.cisco.com/c/en/us/support/docs/wireless/4100-series-wireless-lan-controllers/107252-WLC-Syslog-Server.html

CloudFlare

WhatIncrease performance
Referencehttps://github.com/DefenseStorm/cloudflareEventLogs

CrowdStrike

WhatFalcon Solutions 
Howvia CrowdStrike provided module installed on the DVM
Reference
Notes

Install

sudo dpkg --install crowdstrike-cs-falconhoseclient_71-siem-release-1.0_amd64.deb

Edit /opt/crowdstrike/etc/cs.falconhoseclient.cfg

  • Set API Key and UUID
  • Set log format to “syslog” from json
  • Set send to syslog server to “true”

Add the following to rc.local just above the exit line:

  • nohup /opt/crowdstrike/bin/cs.falconhoseclientd --nodaemon  --config=/opt/crowdstrike/etc/cs.falconhoseclient.cfg &
  • mv /etc/init/cs.falconhoseclientd.conf /etc/init/cs.falconhoseclientd.conf.orig

Create new logrotate config with the following contents for the client log files: /etc/logrotate.d/crowdstrike

/var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log
/var/log/crowdstrike/falconhoseclient/output
{
  rotate 12
  monthly
  compress
  missingok
  notifempty
}

Reboot to verify that the program starts on boot

Verify that log file are created in /var/log/crowdstrike/falconhoseclient


Dell PowerConnect Switch

WhatSwitch logs/events
Howvia Syslog
Notes

CLI Configuration Reference:

logging <IP>

  • description DefenseStorm
  • exit
  • exit
  • logging cli-command
  • logging web-session



Dell SonicWall

WhatFirewall 
Howvia Syslog
Referencehttps://support.software.dell.com/kb/sw5106


Duo

WhatMobile video chat app
Referencehttps://github.com/DefenseStorm/duoEventLogs

Microsoft Exchange Audit Events

WhatMicrosoft Exchange Mailbox Audit Events
Howvia PowerShell script to Windows Event log and then DefenseStorm Agent
Referencehttps://kb.defensestorm.com/help/collecting-event-data-from-exchange
NotesInstructions for configuration provided in Referenced DefenseStorm KB article.


Extreme Networks

WhatSwitch Logs
Howvia Syslog
NotesEnabling Syslog
  • configure syslog add <DVM IP> local0
  • configure syslog <DVM IP> local0 severity info
  • enable log target syslog <DVM IP> local0
  • configure log target syslog <configure-target-ip> from <source-ip-to-use>
Enabling Time with SNTP
  • enable sntp-client
  • configure sntp-client primary <ip-address> vr <vr-route>


Fortigate

WhatFirewall Events/Logs
Howvia Syslog
Referencehttps://help.fortinet.com/fadc/4-5-1/olh/Content/FortiADC/handbook/log_remote.htm section on Advanced Logging for configuring multiple logging servers.
Notes

CLI config example for syslog:

  • config log syslogd{n} setting
  • set status enable
  • set csv disable
  • set facility local{n}
  • set server <ip-address of the dvm>
  • set reliable disable (This is UDP and the port will default)
  • set port 514

end

NOTE: {n} is a number to specify which syslog setting to configure.  Fortigate supports up to 4 where "n" is not specified or is "1" - "3".


HP Lefthand SAN

WhatSAN Log/Event Data
Howvia Syslog
Referencehttp://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0110324


HP Procurve Switch

WhatSwitch Events/Logs
Howvia Syslog
Notes

configure

logging <IP of DVM>

logging system-module all-pass

write mem


IronPort

IronPort Mail Filter

WhatMail Filter and administration logs
Howvia Syslog
Notes

Configure via Administration Web Interface:

System Administration -> Log Subscription -> System Logs

Configure the following Logs:

  • antispam
  • antivirus
  • cli_logs
  • dlp
  • error_logs
  • gui_logs
  • mail_logs
  • scanning
  • system_logs
  • web_client


Juniper

SSL VPN / Pulse Secure

WhatVPN Logs/Events
Howvia Syslog
Referencehttps://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227
Notes

Use UDP protocol, port 514


McAfee

ePO

WhatMcAfee ePO
Reference
  1. Enabling DVM to accept Syslog over SSL
  2. Link to third party instructions


MillenniumUltra

WhatMillenniumUltra Log Files
Howvia NXLog
Notesmillenniumultra.conf
<Extension multiline>
    Modulexm_multiline
    HeaderLine/^<event>/
    EndLine/^</event>/
</Extension>

<Extension xmlparser>
    Modulexm_xml
</Extension>

<Input millenniumultra>
    Moduleim_file
    File"\MPWNetCustomers\1\HistoricalLog\HistoricalLog.xml"
    SavePosFALSE
    ReadFromLast FALSE
    InputTypemultiline
    <Exec>
      # Discard everything that doesn't seem to be an xml event   
      if $raw_event !~ /^<HistoricalLog>/ drop();

      # Parse the xml event
      parse_xml();

      # Rewrite some fields 
      $EventTime = parsedate($timestamp);
      delete($timestamp);
      delete($EventReceivedTime);

      $SourceName="MillenniumUltra";

      # Convert to JSON
      to_json();
    </Exec>
</Input>

<Route MSEvents>
     Path       millenniumultra => syslogng-out
</Route>

Microsoft Exchange Message Tracking

WhatExchange Message Tracking Logs
Howvia NXLog
Referencehttps://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/
NotesEnable Message Tracking in Exchange 2013 as defined in the above link

Add the following configurations to NXLog:

<Input in_exchange>  
   Module     im_file
   File       '%BASEDIR%\MSGTRK????????*-*.LOG' # Exports all logs in Directory
   SavePos    TRUE
   Exec       if $raw_event =~ /HealthMailbox/ drop();
   Exec       if $raw_event =~ /^#/ drop();
</Input>
<Output out_exchange>  
    Module    om_udp
    Host      192.168.0.2 # Replace with your DVM hostname/IP
    Port      514
    Exec      $SourceName = 'exchange_msgtrk_log';
    Exec      to_syslog_bsd();
</Output>
<Route exchange>  
    Path      in_exchange => out_exchange
</Route>  


Netscaler

WhatCore  Networking
Howvia Syslog
Referencehttps://support.citrix.com/article/CTX121728

PaloAltoNetworks

WhatFirewall Events/Logs
Howvia Syslog
Referencehttps://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Firewall-Logs-from-Panorama-through-Syslog/ta-p/55713


QRadar

Information

WhatMirror logs sent to QRadar to DefenseStorm DVM
Howvia Syslog
Referencehttp://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_frwd_event_data.html?cp=SS42VS_7.2.1%2F4-0-15
Notes

Configure QRadar for Raw Forwarding

Configuration Information

To send data to DVM:

- Destination Target

- Routing Rule

QRadar needs to send to the DVM on port 514 UDP.  This allows us to receive unformatted, multi-line log information.


Rapid7

Nexpose

WhatScan Alerts
Howvia Syslog
Referencehttps://nexpose.help.rapid7.com/docs/setting-up-scan-alerts


RSA Authentication Manager

Setting up for syslog

WhatAuthentication Logs/Events
Howvia Syslog
Referencehttps://community.rsa.com/docs/DOC-46055


rsyslog

WhatAny log data on a system that is deployed with rsyslog (Carbon
Black, some flavors of Linux, etc.)
Howvia Syslog event forwarding
Notes

Add a line to the bottom of the /etc/rsyslog.conf file to forward all log event data to the DVM that follows this style::

*.*   @@IP_ADDRESS:514


Where IP_ADDRESS should be replaced with the IP address of your DVM.  For example, if your DVM IP address was 192.168.10.12, then the line would look like:

*.*   @@192.168.10.12:514


Salesforce

WhatCRM Solution
Referencehttps://github.com/DefenseStorm/salesforceEventLogs

Shortel

WhatCall Detail Records
Howvia NXLog
NotesNXLog Configuration
#############################################################
# Define the Input for the Shortel log files
#############################################################
<Input in-shortel>
#Read Shortel CDR Log Files
Module im_file
 
File 'C:\\Shoreline Data\\Call Records 2\\*.Log'
 
ReadFromLast TRUE
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop(); \
      else \
     { \
         $message = $raw_event; \            
         $clienthostname = $hostname; \
         $hostname = hostname_fqdn(); \
         $SourceName = "Microsoft-Windows-Logs-Shortel"; \
     }
</Input>
#############################################################
# Defne the Route for the Shortel log files
#############################################################
<Route out>
 Path   in-shortel => syslogng-out
</Route>


Sophos

WhatSecurity
Referencehttps://github.com/DefenseStorm/sophosEventLogs

Solarwinds Orion

WhatInfrastructure Management
HowSyslog Viewer
Notes

From the Syslog Viewer on your Orion server:  

  1. Go to "Start" menu > "All Programs" > "Solarwinds Orion" > "Syslog and SNMP Traps" >  "Syslog Viewer"
  2. *Create a rule to match what you want to forward (you can use ‘*’) and create an action to Forward the Syslog Message.   
  3.  Check the box to retain the original source ip of the message.

SMTP Email Forwarding

WhatSMTP Email Messages
Howvia SMTP email forwareded from internal Exchange Server
Notes

The DVM will accept any email on port 25 and convert that email to an event to send up to the DefenseStorm cloud.  There are many ways to route email to the DVM depending on your email infrastructure.  This document describes one method that can be used with Microsoft Exchange.

The steps are as follows:

Configure your Exchange environment to route a ‘dummy’ email domain to the DVM.  for example, if your email domain is “mybank.com”, then you might use “defensestorm.mybank.com” or even simply “defensestorm.mybank”.  This email domain will never be delivered to the Internet, so you should select a non-valid domain.

(here are some instructions we can borrow from to describe this process for Exchange 2000)

http://www.techrepublic.com/article/forward-mail-to-a-smart-host-for-specific-domains/

In step 9 of these instructions, we will be using the domain that is described above (defensestorm.mybank).

Once this is complete, send a test email message to any email address at your domain, for example, “test@defesenstorm.mybank”.  You should be able to verify in Exchange that this message was delivered to the DVM.  You should also be able to see the email message converted to an event on the DefenseStorm Console

Now simply configure any of your internal systems that you want to send SMTP/Email based alerts to use a recipient address at the configured domain.  Any email messages that are send to that domain will be routed by your internal exchange system to the DVM and will be forwarded as Events to the DefenseStorm Console.



Sourcefire

WhatFireSIGHT Events/Logs
Howvia Syslog
Reference

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html

NotesEvent Data is only provided in UTC and without a timezone specified.  The DVM is configured with a local timezone to support Windows event logging.  The following configuration can be added to the Syslog-NG configuration on the DVM to support UTC events without a timezone.

@version: 3.5


# Custom syslog setup to take in UTC timestamp and send it out properly


source s_sourcefire {
    network(
        port(518)
        time-zone("UTC")
        transport("udp")
        keep-hostname(yes)
        flags("syslog-protocol")
        tags("udp514")
    );
    network(
        port(518)
        time-zone("UTC")
        transport("tcp")
max_connections(100)
log_iw_size(2000)
        keep-hostname(yes)
        flags("syslog-protocol")
        tags("tcp514")
    );
};


log {
    source(s_sourcefire);
    rewrite(r_praesidio);
    destination(d_praesidiosqs);
    flags("flow_control");
};


Splunk

WhatSplunk collected event data via Event Mirroring
Howvis Syslog
Notes
$SPLUNK_HOME/etc/system/local/outputs.conf  (typically /opt/splunk…)

Add:

If they have a license that supports Syslog (not the free version):

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = 10.1.1.197:516

If they have the free version (add the first part under the current tcpout):

[tcpout]
defaultGroup=syslogGroup
[tcpout:fastlane]
server = 10.1.1.35:516
sendCookedData = false


Varonis

WhatVaronis Events
Howvis Syslog
Referencehttp://castletips.blogspot.com/2015/08/datalert-alert-template-for-syslog.html
NotesThe default Alert Template for syslog messages contains line feeds and carriage returns.  Use the referenced Alert Template to provide a parsable Alert to the DVM via Syslog


VMWare vCenter

ESXi Syslog Configuration

WhatLogs/Events for the ESXi host
Howvia Syslog
Reference

ESXi 5 Instructions:

http://www.vkernel.ro/blog/configure-syslog-on-esxi-5-x-hosts

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003322

ESXi 6 Instructions:

http://everythingshouldbevirtual.com/vsphere-6-0-syslog-configuration

Notes

Configure with udp://<DVM IP>:514


VCSA Appliance

WhatEvents/Logs from the vCenter Server Appliance
Howvia Syslog
Reference

https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.vcsa.doc%2FGUID-9633A961-A5C3-4658-B099-B81E0512DC21.html


vSphere logging via nxlog

WhatvSphere Administration logging on Windows Based vSphere Servers
Reference

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vcsa.doc/GUID-9633A961-A5C3-4658-B099-B81E0512DC21.html