해결됨: Re: Cisco eStreamer with FMC & Microsoft sentinel

AshbyJohnDNV · ‎12-04-2024

Hi, have a successful connection of FMC with eStreamer and can see syslog in Sentinel. However see this error against the DCR rule int Sentinel. Even though the DCR rule is created does this mean no events in CEF format reaching Sentinel?

FMC is on version 7.4.1.1

Redhat Linux 9 Ent

Python 3

adrian_iovita · ‎02-06-2025

You need to exclude the logs from being saved locally on the Linux box. You need to edit the/etc/rsyslog.d/50-default.conf file so that will not save the logs locally based on facilities. It depends if you are using rsyslog or syslog-ng

rsyslog example:

*.*;local4.none;auth,authpriv.none -/var/log/syslog

That means that logs with facility local4 will not be saved locally.

원본 게시물의 솔루션 보기

adrian_iovita · ‎03-07-2025

In your DCR configuration include LOG_USER: LOG_NOTICE

원본 게시물의 솔루션 보기

adrian_iovita · ‎02-03-2025

It depends on how you configured the DCR rule. What Sentinel Connector are you using? You can create the DCR rule directly from the CEF AMA connector.

How do you see syslog events in Sentinel if you are trying to use CEF format?

AshbyJohnDNV · ‎02-04-2025

Thanks Adrian. Seems things were all working. In the end I had to delete dormant syslog connectors in Sentinel and restart the ./encore.sh service on the Linux box and hey presto. Challenge I ahve now is the logs filling up space on /dev/mapper/rootvg-varlv. Filled up 15G very quick

adrian_iovita · ‎02-06-2025

You need to exclude the logs from being saved locally on the Linux box. You need to edit the/etc/rsyslog.d/50-default.conf file so that will not save the logs locally based on facilities. It depends if you are using rsyslog or syslog-ng

rsyslog example:

*.*;local4.none;auth,authpriv.none -/var/log/syslog

That means that logs with facility local4 will not be saved locally.

AshbyJohnDNV · ‎02-19-2025

Been working fine for a week or so. Filed up the disk space. Now not working....

checking listening ports - sudo lsof -nP -iTCP -sTCP:LISTEN

Second topic is Cisco FMC parsing events from 20 Cisco FTD's - any idea's on disk size and entries in rsyslog.conf & DCR. DCR shown below.

thanks

AshbyJohnDNV · ‎02-06-2025

Thanks Adrian!

AshbyJohnDNV · ‎02-19-2025

Been working fine for a week or so. Filed up the disk space. Now not working....

checking listening ports - sudo lsof -nP -iTCP -sTCP:LISTEN

Second topic is Cisco FMC parsing events from 20 Cisco FTD's - any idea's on disk size and entries in rsyslog.conf & DCR. DCR shown below.

thanks

adrian_iovita · ‎03-05-2025

You don' actually need disk size on the server since you don't want to keep the logs locally, you should be forwarding them to Sentinel.

Can you check the settings in /etc/rsyslog.cof ?

for CEF logs you also need to try enabling the option "Collect messages without PRI header" in the DCR, to make sure that CEF message without facility are sent to Sentinel.

Also you have you checked estreamer for any errors?

AshbyJohnDNV · ‎03-05-2025

Hey Adrian, /etc/Rsyslog.conf below

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

#### MODULES ####

module(load="imuxsock" # provides support for local system logging (e.g. via logger command)
SysSock.Use="off") # Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
module(load="imjournal" # provides access to the systemd journal
UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
FileCreateMode="0644" # Set the access permissions for the state file
StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp")
##needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp")
##needs to be done just once

input(type="imtcp" port="514")

#### RULES ####

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

# reduce logs saved on this local host - ADDED17FEB2025

*.*;local4.none;auth,authpriv.none /var/log/syslog

CEF test script + ./encore.sh test

adrian_iovita · ‎03-05-2025

What is your disk space usage on the server?

Do run a tcpdump:

tcpdump -Z root -i lo "port 514"

tcpdump -Z root -i lo "port 28330"

AshbyJohnDNV · ‎03-06-2025

AshbyJohnDNV · ‎03-06-2025

Forgot disk space output

adrian_iovita · ‎03-07-2025

In your DCR configuration include LOG_USER: LOG_NOTICE

AshbyJohnDNV · ‎03-12-2025

Any idea's on how to filter out Log Severity 3 - things like routing information etc; either via DCR on conf on the Estreamer box itself?

adrian_iovita · ‎03-12-2025

What kind of logs are you getting?

Estreamer will only forward Inspection, connection, Malware and File events.

You need to remove from DCR Local 6 and Local 7