enhance support for syslog ingestion #354

mmguero · 2024-11-04T22:00:29Z

Malcolm is now configurable to accept third-party syslogs directly. To describe the feature, here's copy/paste from the updated documentation:

From the end-to-end configuration documentation:

Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder?

Answer yes or no in order for Malcolm's firewall to allow or block connections for OpenSearch, Logstash, and Filebeat TCP, bypassing the following several questions in this list. Answer customize to proceed to answer the following related questions individually:

...

Accept standard syslog messages?

Answer Y for Malcolm to accept syslog messages according to the RFC3164 and RFC5424 standards over TCP or UDP.

Enter port for syslog over TCP (e.g., 514) or 0 to disable and Enter port for syslog over UDP (e.g., 514) or 0 to disable

Specify the port numbers on which to accept syslog messages for TCP or UDP, respectively. Other options for configuring how Malcolm accepts and processes syslog messages can be configured via environment variables in filebeat.env

From the filebeat.env environment variable documentation:

filebeat.env - settings specific to Filebeat, particularly for how Filebeat watches for new log files to parse and how it receives and stores third-Party logs

...

The following variables configure Malcolm's ability to accept syslog messages:

FILEBEAT_SYSLOG_TCP_LISTEN and FILEBEAT_SYSLOG_UDP_LISTEN - if set to true, Malcolm will accept syslog messages over TCP and/or UDP, respectively

FILEBEAT_SYSLOG_TCP_PORT and FILEBEAT_SYSLOG_UDP_PORT - the port on which Malcolm will accept syslog messages over TCP and/or UDP, respectively

FILEBEAT_SYSLOG_TCP_FORMAT and FILEBEAT_SYSLOG_UDP_FORMAT - one of auto, rfc3164, or rfc5424, to specify the allowed format for syslog messages over TCP and/or UDP, respectively (default auto)

FILEBEAT_SYSLOG_TCP_MAX_MESSAGE_SIZE and FILEBEAT_SYSLOG_UDP_MAX_MESSAGE_SIZE - defines the maximum message size of the message received over TCP and/or UDP, respectively (default: 10KiB for UDP, 20MiB for TCP)

FILEBEAT_SYSLOG_TCP_MAX_CONNECTIONS - specifies the maximum current number of TCP connections for syslog messages

FILEBEAT_SYSLOG_TCP_SSL - if set to true, syslog messages over TCP will require the use of TLS. When ./scripts/auth_setup is run, self-signed certificates are generated which may be used by remote log forwarders. Located in the filebeat/certs/ directory, the certificate authority and client certificate and key files should be copied to the host on which the forwarder is running and used when defining its settings for connecting to Malcolm.

From the Third Party Logs documentation:

Malcolm can accept syslog messages directly. During configuration, select customize when prompted Should Malcolm accept logs and metrics from a Hedgehog Linux sensor or other forwarder? to specify whether Malcolm should accept syslog over TCP, UDP, or both, and the respective ports on which the messages should be accepted.

Other options for configuring how Malcolm accepts and processes syslog messages can be configured via environment variables in filebeat.env.

The text was updated successfully, but these errors were encountered:

…og; (dashboard)

…rocessor, for cisagov#354

mmguero · 2025-01-07T20:33:53Z

Comment from original bug creation:

@mmguero cloned issue idaholab/Malcolm#606 on 2024-10-29:

An INL-internal group using Malcolm was discussing Malcolm's ability to ingest host logs with us, and syslog in particular. As syslog is a common format for linux-and-related host logs, this might be worth looking at.

There are three parts to this I can see:

From the aspect of collecting the syslogs, fluent bit has a syslog input that will monitor a TCP or UDP socket for syslogs sent to it.

In other words, on some other box you could set up a socket that rsyslog is sending to, then have fluent-bit monitor that socket and forward things along to Malcolm in the regular JSON-over-TCP/TLS method we do for everything else.

Our logstash pipeline already has support to parse these so in a major sense this is already working and supported

we don't have a prebuilt dashboard for this so we would want to build one (similar to the journald/systemd dashboard found under Malcolm and Third-Party Logs in the navigation panel)

Now, what about Malcolm directly accepting syslogs itself, rather than having an external fluent-bit process forwarding them?

filebeat has a syslog processor, so we could leverage another filebeat process (filebeat-syslog) in the filebeat container (similar to how we added the one filebeat TCP somewhat recently); this is probably the way to go

logstash has a syslog input that would be another options

we'd want to normalize, as much as possible, so that the inputs from syslog directly and the inputs from fluent-bit have the same data/field format and are viewable in the same dashboard (use ECS as much as possible)

this would potentially have to expose another port, but I think that if we do it it merits a separate question in the configuration as it's unencrypted/unauthenticated and as such doesn't rise to the standard of the stuff we're doing for filebeat-tcp/5045 right now. I think we'd want to give them a more explicit "are you sure" kind of thing.

mmguero · 2025-01-07T21:09:53Z

tested using flog using UDP, TCP without SSL, and TCP with SSL.

Example command:

for ADDR in \
  'udp:10.9.0.215:514' \
  'ssl:10.9.0.215:514,cafile=ca.crt,cert=client.crt,key=client.key,verify=0'; do \
    for FORMAT in rfc5424 rfc3164; do \
        flog -f "$FORMAT" -n 50 | while read MESSAGE; do echo "$MESSAGE" | socat - "$ADDR"; done; \
    done; \
done

…og; (dashboard)

…rocessor, for cisagov#354

@jjrush

* Bump development for v25.01.0, also update copyright year * bump netbox to v4.1.10, osd_transform to v2.18.0, and fluent-bit to v3.2.4 * for cisagov#354, work in progress for Malcolm directly accepting syslog * for cisagov#354, work in progress for Malcolm directly accepting syslog; (dashboard) * cisagov#543, add naviation pane to non-network dashboards * bump jinja to 3.1.5 * Documentation for cisagov#354, syslog * replace old filebeat input for syslog with tcp/udp input and syslog processor, for cisagov#354 * Documentation for cisagov#354, syslog * install.py tweak for cisagov#354 * minor fix for for cisagov#354, set host.name correctly * bump netbox to v4.11.1 and elasticsearch-dsl to v8.17.1 * start of cisagov#356, normalize winlogbeats * WIP of cisagov#356, normalize winlogbeats * WIP of cisagov#356, normalize winlogbeats * WIP of cisagov#356, fix for a dashboard * WIP of cisagov#356, normalize winlogbeats * Work in progress for cisagov#541, making sure conn.log and known_services.log get the ICS protocols assigned to them corrrectly and tagged appropriately * Work in progress for cisagov#541 * standardize ICS protocols in network.protocol field, so they all get tagged with 'ics' properly cisagov#541 * fix cisagov#533, allow keystores to be created on startup even in hedgehog mode * forgot to add file for cisagov#356 * For cisagov#524, handle filenames with spaces in extracted_files_http_server.py * work for cisagov#542, preserve custom field formatting for index pattern on update of index pattern * work for cisagov#542, preserve custom field formatting for index pattern on update of index pattern * bump yq to v4.45.1 * for cisagov#551, URL pivot links from dashboards to arkime * for cisagov#551, URL pivot links from dashboards to arkime * fix pivot from arkime to dashboards and vice-versa when using a traefik or other reverse proxy * for cisagov#551, URL pivot links from dashboards to netbox * for cisagov#551, URL pivot links from dashboards to netbox * for cisagov#551, URL pivot links from netbox to arkime/dashboards * start of cisagov#553, update zeek to v7.1.0 * cisagov#553, handle conn.log for zeek v7.1.0 and documentation update * cisagov#553, handle postgresql.log * cisagov#553, handle postgresql.log * cisagov#553, added PostgreSQL dashboard * for cisagov#551, URL pivot links in dashboards (ignore date/times) * start of omron fins integration, cisagov#554 * wip omron fins integration, , cisagov#554 * arkime to v5.6.0 * bump logstash and filebeat to v8.17.0 * Fix nginx filebeat * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * dashboards tweaks * fix links for hh redirect download * First pass at adding suricata socket optimization * fix issue with nginx proxy * Setting debug to false * Fixing permissions for socket * html formatting * documentation for workaround for UFW software firewall for Malcolm ISO should automatically open ports for syslog cisagov#560) * Bump for v25.02.0 development * restore _config.yml * fix version * I don't think we need a seperate pod for the socket-based suricata, that's what the offline one does now anyway, right? * restore some comments, black python style * some tweaks for cisagov#457, pulled jjrush's branch into mine for some fixes * some tweaks for cisagov#457 * allow suricata to spawn threads * logging tweaks * more flexible verbosity for suricata * some tweaks for cisagov#457, try to wait until PCAP is finished processing before moving on * First pass at adding suricata socket optimization * Setting debug to false * Fixing permissions for socket * for cisagov#457, a few tweaks of the suricata pcap processing mode after reviewing @jjrush's code * for cisagov#457, monitor suricata.log to know when PCAP is done processing * for cisagov#457, monitor suricata.log to know when PCAP is done processing * for cisagov#457, signal suricata rules to reload after update * for cisagov#457, signal suricata rules to reload after update * for cisagov#457, fix processing of other log types * for cisagov#457, fix processing of other log types * for cisagov#457, signal suricata rules to reload after update * decrease verbosity for log * fix logic for autoarkime/forcearkime * some tweaks for cisagov#457, don't bother keeping track of when suricata is done with a PCAP file. just let filebeat handle it and pick up the resultant eve.json files directly * Standardizing healthcheck scripts, updating docker-compose, updating kubernetes * Adding livenessProbe to htadmin * cisagov#457, handle multiple Suricata PCAP processing threads * cisagov#574, clear screen after auth_setup when using Dialog mode * add the related.user field to the 'nginx Access Logs' table * bump fluent bit to v3.2.5 * fixed import of ECS templates * handle ARKIME_PORT value formatted like a URL in the init of the API container * cisagov#565, warn user about overwriting netbox passwords if they've already been set * fix cisagov#559, ANSI color codes from croc displayed * Exception in build triggers * for cisagov#557, try building dirinit with arm runner * cisagov#557, use arm-hosted runners for github build actions * restore _config.yml * a bit of cleanup for Dockefiles/health check scripts * minor fixes for health checks * Tweaks for health checks * restore _config.yml * Tweaks for health checks * build tweaks for health scripts * bump capa to v9.0.0 * workaround for issue blocking cisagov#475, integration of sigma rules * improvements to workaround for issue blocking cisagov#475, integration of sigma rules * improvements to workaround for issue blocking cisagov#475, integration of sigma rules * for cisagov#475, automatically apply aliases via index templates * for cisagov#475, starting on mappings for security analytics * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (wIP) * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (WIP) * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (WIP) * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (WIP) * demo fix * for cisagov#585, show long connection count on connections dashboard * decouple redis from netbox (cisagov#580) * one more minor change to cisagov#491, moved all container health scripts into one place to make it easier to keep track of them * decouple redis from netbox (cisagov#580) and reorganized some of the other netbox password stuff * updated fluent bit * fix filebeat health --------- Co-authored-by: Seth Grover <seth.d.grover@gmail.com> Co-authored-by: Jason Rush <jjrush-github@proton.me>

@jjrush

* Bump development for v25.01.0, also update copyright year * bump netbox to v4.1.10, osd_transform to v2.18.0, and fluent-bit to v3.2.4 * for cisagov#354, work in progress for Malcolm directly accepting syslog * for cisagov#354, work in progress for Malcolm directly accepting syslog; (dashboard) * cisagov#543, add naviation pane to non-network dashboards * bump jinja to 3.1.5 * Documentation for cisagov#354, syslog * replace old filebeat input for syslog with tcp/udp input and syslog processor, for cisagov#354 * Documentation for cisagov#354, syslog * install.py tweak for cisagov#354 * minor fix for for cisagov#354, set host.name correctly * bump netbox to v4.11.1 and elasticsearch-dsl to v8.17.1 * start of cisagov#356, normalize winlogbeats * WIP of cisagov#356, normalize winlogbeats * WIP of cisagov#356, normalize winlogbeats * WIP of cisagov#356, fix for a dashboard * WIP of cisagov#356, normalize winlogbeats * Work in progress for cisagov#541, making sure conn.log and known_services.log get the ICS protocols assigned to them corrrectly and tagged appropriately * Work in progress for cisagov#541 * standardize ICS protocols in network.protocol field, so they all get tagged with 'ics' properly cisagov#541 * fix cisagov#533, allow keystores to be created on startup even in hedgehog mode * forgot to add file for cisagov#356 * For cisagov#524, handle filenames with spaces in extracted_files_http_server.py * work for cisagov#542, preserve custom field formatting for index pattern on update of index pattern * work for cisagov#542, preserve custom field formatting for index pattern on update of index pattern * bump yq to v4.45.1 * for cisagov#551, URL pivot links from dashboards to arkime * for cisagov#551, URL pivot links from dashboards to arkime * fix pivot from arkime to dashboards and vice-versa when using a traefik or other reverse proxy * for cisagov#551, URL pivot links from dashboards to netbox * for cisagov#551, URL pivot links from dashboards to netbox * for cisagov#551, URL pivot links from netbox to arkime/dashboards * start of cisagov#553, update zeek to v7.1.0 * cisagov#553, handle conn.log for zeek v7.1.0 and documentation update * cisagov#553, handle postgresql.log * cisagov#553, handle postgresql.log * cisagov#553, added PostgreSQL dashboard * for cisagov#551, URL pivot links in dashboards (ignore date/times) * start of omron fins integration, cisagov#554 * wip omron fins integration, , cisagov#554 * arkime to v5.6.0 * bump logstash and filebeat to v8.17.0 * Fix nginx filebeat * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * WIP omron fins integration, cisagov#554 * dashboards tweaks * fix links for hh redirect download * First pass at adding suricata socket optimization * fix issue with nginx proxy * Setting debug to false * Fixing permissions for socket * html formatting * documentation for workaround for UFW software firewall for Malcolm ISO should automatically open ports for syslog cisagov#560) * Bump for v25.02.0 development * restore _config.yml * fix version * I don't think we need a seperate pod for the socket-based suricata, that's what the offline one does now anyway, right? * restore some comments, black python style * some tweaks for cisagov#457, pulled jjrush's branch into mine for some fixes * some tweaks for cisagov#457 * allow suricata to spawn threads * logging tweaks * more flexible verbosity for suricata * some tweaks for cisagov#457, try to wait until PCAP is finished processing before moving on * First pass at adding suricata socket optimization * Setting debug to false * Fixing permissions for socket * for cisagov#457, a few tweaks of the suricata pcap processing mode after reviewing @jjrush's code * for cisagov#457, monitor suricata.log to know when PCAP is done processing * for cisagov#457, monitor suricata.log to know when PCAP is done processing * for cisagov#457, signal suricata rules to reload after update * for cisagov#457, signal suricata rules to reload after update * for cisagov#457, fix processing of other log types * for cisagov#457, fix processing of other log types * for cisagov#457, signal suricata rules to reload after update * decrease verbosity for log * fix logic for autoarkime/forcearkime * some tweaks for cisagov#457, don't bother keeping track of when suricata is done with a PCAP file. just let filebeat handle it and pick up the resultant eve.json files directly * Standardizing healthcheck scripts, updating docker-compose, updating kubernetes * Adding livenessProbe to htadmin * cisagov#457, handle multiple Suricata PCAP processing threads * cisagov#574, clear screen after auth_setup when using Dialog mode * add the related.user field to the 'nginx Access Logs' table * bump fluent bit to v3.2.5 * fixed import of ECS templates * handle ARKIME_PORT value formatted like a URL in the init of the API container * cisagov#565, warn user about overwriting netbox passwords if they've already been set * fix cisagov#559, ANSI color codes from croc displayed * Exception in build triggers * for cisagov#557, try building dirinit with arm runner * cisagov#557, use arm-hosted runners for github build actions * restore _config.yml * a bit of cleanup for Dockefiles/health check scripts * minor fixes for health checks * Tweaks for health checks * restore _config.yml * Tweaks for health checks * build tweaks for health scripts * bump capa to v9.0.0 * workaround for issue blocking cisagov#475, integration of sigma rules * improvements to workaround for issue blocking cisagov#475, integration of sigma rules * improvements to workaround for issue blocking cisagov#475, integration of sigma rules * for cisagov#475, automatically apply aliases via index templates * for cisagov#475, starting on mappings for security analytics * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (wIP) * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (WIP) * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (WIP) * for cisagov#585, include corelight/zeek-long-connections plugin for long connections (WIP) * demo fix * for cisagov#585, show long connection count on connections dashboard * decouple redis from netbox (cisagov#580) * one more minor change to cisagov#491, moved all container health scripts into one place to make it easier to keep track of them * decouple redis from netbox (cisagov#580) and reorganized some of the other netbox password stuff * updated fluent bit * fix filebeat health --------- Co-authored-by: Seth Grover <seth.d.grover@gmail.com> Co-authored-by: Jason Rush <jjrush-github@proton.me>

mmguero added beats Relating to Malcolm's use of Beats enhancement New feature or request host logs Related to Malcolm's processing of host logs forwarded from external forwearders logstash Relating to Malcolm's use of Logstash labels Nov 4, 2024

mmguero mentioned this issue Nov 4, 2024

enhance support for syslog ingestion idaholab/Malcolm#606

Closed

mmguero added this to Malcolm Nov 5, 2024

mmguero added this to the z.staging milestone Nov 5, 2024

mmguero self-assigned this Dec 11, 2024

mmguero modified the milestones: z.staging, v25.01.0 Dec 11, 2024

mmguero moved this to Todo (develop) in Malcolm Dec 11, 2024

mmguero moved this from Todo (develop) to In Progress in Malcolm Jan 6, 2025

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 6, 2025

for cisagov#354, work in progress for Malcolm directly accepting syslog

02cf852

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 6, 2025

for cisagov#354, work in progress for Malcolm directly accepting sysl…

76606c9

…og; (dashboard)

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 7, 2025

Documentation for cisagov#354, syslog

d021eaa

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 7, 2025

replace old filebeat input for syslog with tcp/udp input and syslog p…

f8217e0

…rocessor, for cisagov#354

mmguero moved this from In Progress to Testing in Malcolm Jan 7, 2025

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 7, 2025

Documentation for cisagov#354, syslog

6461221

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 7, 2025

install.py tweak for cisagov#354

83d7485

mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Jan 7, 2025

minor fix for for cisagov#354, set host.name correctly

0f69adb

mmguero closed this as completed Jan 7, 2025

github-project-automation bot moved this from Testing to Done in Malcolm Jan 7, 2025

This was referenced Jan 17, 2025

Malcolm v25.01.0 #558

Merged

Malcolm v25.01.0 idaholab/Malcolm#618

Merged

NetFlow v9 input #467

Open

UFW software firewall for Malcolm ISO should automatically open ports for syslog #560

Open

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

for cisagov#354, work in progress for Malcolm directly accepting syslog

445a64c

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

for cisagov#354, work in progress for Malcolm directly accepting sysl…

1fac182

…og; (dashboard)

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

Documentation for cisagov#354, syslog

8a22cd7

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

replace old filebeat input for syslog with tcp/udp input and syslog p…

651e756

…rocessor, for cisagov#354

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

Documentation for cisagov#354, syslog

5b30596

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

install.py tweak for cisagov#354

e2419c7

mmguero added a commit to idaholab/Malcolm that referenced this issue Jan 17, 2025

minor fix for for cisagov#354, set host.name correctly

fc62144

mmguero moved this from Done to Released in Malcolm Jan 17, 2025

lelandmills mentioned this issue Jan 23, 2025

Latest install.py script (25.01.0) drops local opensearch access #564

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

enhance support for syslog ingestion #354

enhance support for syslog ingestion #354

mmguero commented Nov 4, 2024 •

edited

Loading

mmguero commented Jan 7, 2025

mmguero commented Jan 7, 2025

enhance support for syslog ingestion #354

enhance support for syslog ingestion #354

Comments

mmguero commented Nov 4, 2024 • edited Loading

mmguero commented Jan 7, 2025

mmguero commented Jan 7, 2025

mmguero commented Nov 4, 2024 •

edited

Loading