• Support
  • Forums
  • Blogs

TCP connection with rsyslog

alien35manalien35man

Big Time
I set up a machine to forward logs to my Alienvault machine over TCP, and I was under the impression that it was working. However I looked into it and found most of my logs were like this:

Jul 8 01:46:08 SOME_IP {"EventTime": "2014-07-08 08:46:01","Hostname":"SOMEHOSTNAME","Keywords":-92188...which account and process on the system requested the logon.\r\n\r\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not

Jul 8 08:45:19 always available and may be left blank in some cases.\r\n\r\nThe authentication information...IpAddress":"-","IpPort":"-","EventReceivedTime":"2014-07-08 08:46:03","SourceModuleName":"in","SourceModuleType":"im_msvistalog","EventReceievedTime":1404834363}

I left most of the data out I just wanted to show how the log is cut and treated as 2.

I'm guessing it has something to do with how I setup the TCP connection. Any help would be greatly appreciated.
Tagged:

Share post:

Answers

  • edited July 2014
    Could be tcp related. Most of the time if the log is split you'd see the syslog header twice. Which this looks like, though your dates for the two records are way far apart.
  • Yeah all my large logs get cut and are off by a couple minutes for some reason.
    I updated the OSSIM entirely and I noticed one of the fixes was that all TCP connections are open. This broke my entire setup as Alienvault stopped processing my logs entirely.
    This seems to point to a flawed setup with TCP.
    Would someone mind walking me through it? Perhaps I missed a step.
    (I am in fact a newbie at this so please bear with me)
  • The new version includes an IPtable rule to block 514 TCP, you can modify this in the firewall include file. You may need to re-enable tcp in rsyslog.conf as well.

    What are you sending the logs with?
  • Where is the firewall? All I can find is "ossim_firewall.dpkg_old" and "ossim_firewall_ipv6.dpkg-old".
    I'm using syslog-ng to forward them.
  • edited July 2014
    Actually I think I found the problem. The logs I'm receiving are a mixture of nxlog and syslog. The nxlogs are the really big ones which are causing that weird behavior. I guess I need to make a plugin to parse nxlog since Alienvault doesn't have one?
  • Nxlog can output snare format and you can use that plugin. I've mentioned nxlog a few times here also.
  • Ok I think I'll try that. I still have the original problem though. When I send the nxlogs over with syslog-ng the TCP packets aren't put back together and are thus treated as separate logs. Is there some way to increase the payload size? I noticed /etc/rsyslog.d/alienvault.conf sets this $MaxMessageSize 64K.
  • Why would nxlog send with syslog-ng? Are you forwarding?
  • I am receiving logs from both windows(nxlog) and linux(syslog) machines on one system. Then I'm dumping them all into a log file (which contains a mix of both), then I use syslog-ng to forward them. I'm using that because that's all I know how to do/all I have to work with.
  • Nxlog can send straight to AV as can your linux syslog machine. You could also be sending to your log server udp, but forwarding tcp. So the log would get broken before you even forward it.
  • Due to the setup I can't directly forward. All I have access to is that one machine with all the logs on it and my Alienvault machine. I need to way to do this with syslog-ng. I know it is extremely crippling but it's all I'm given. (also thank you for your patience I appreciate it)
  • Solved. You were right it was getting broken somewhere else. Thanks for the help. It turned out that my Alienvault end was using rsyslog to receive logs sent over syslog-ng. Silly mistake.
This discussion has been closed.