Re: IDS: Should send logs to a Syslog Server... How??

pgallati · ‎01-20-2003

Hey all, I would like that an IDS sends his alerts to a syslog server. If I read correctly, the IDS itself can't send syslog messages to a server.

A customer absolutely wants this feature. So what can I do?

The customer has a CSPM 2.3i and some IDS (4210). Is it possible that the CSPM can handle this? And how?

Thanks for any help, Patrik

gfullage · ‎01-21-2003

The sensor can't send syslog events, nor can you set up CSPM to forward alerts via syslog, sorry about that.

pgallati · ‎01-22-2003

Hi Glenn

Thanks for your response. Does the VMS include this functionality (syslog)? Maybe we can upgrade the CSPM to VMS 2.1. Is this a solution to solve the problem.

Thanks, Patrik

g.schaarup · ‎01-23-2003

Hi Patrik

There is a "way" (not very fancy but it works) to get events send to a syslog server. By use of an "syslog client" (like klog "console-mode" syslog client) and the CSPM script notification method where you type the path to you script with klog. And in the script you make the script / klog send the syslog with the Notification Keywords you would like to be included in the syslog.

Regards.

Gert

pgallati · ‎01-24-2003

Hi Gert

Thanks a lot for your response. Unfortunately, I have no experience in writing scripts. On the CCO I saw that it is possible to write a script, but i could not find any example which helps me. Do know some good links where I con find some examples?

Many thanks and have a good time.

Regards,

Patrik

g.schaarup · ‎01-24-2003

Hi Patrik

I am not an script expert either, but I did it this way:

Download the free "Kiwi Logger" from:

http://www.kiwisyslog.com

And create the following command file syslog.cmd (or whatever name you prefer) with following content:

::-------------------------------------------

set RecordID=%2

set DateStr=%5

set TimeStr=%6

set HostID=%8

::-----------------------------------

::Ship to next 9 keyword

::----------------------------------

shift

set SigID=%4

set SubSigID=%5

set SrcIpAddr=%7

set DstIpAddr=%8

set SrcIpPort=%9

::-----------------------------------

::Ship to next 9 keyword

::----------------------------------

shift

set DstIpPort=%1

set AlarmDetails=%3

c:\path\klog -h 123.45.67.8 -m "%TimeStr% %DateStr% IDS:%HostID% ID:%SigID% IP Addr:Src.%SrcIpAddr%:%SrcIpPort% Dst.%DstIpAddr%:%DstIpPort% Record ID:%RecordID% Alarm Details:%AlarmDetails%"

:------------------------------------------------------------

Where 123.45.67.8 is the ip address of your syslog server.

And c:\path\ is the path to where you have the klog.exe.

And in the CSPM under "Tools" - "Configure Notification" - "IDS Events" - highligt desired "Event Description" - "log event and issue......" - "Script" - "Name" here you type in the c:\path\syslog.cmd and then you have your syslogging running.

If desired you can modity the "notification keywords" in the cmd file but by using the ones above you will get syslog messages that looks like:

01/21/03 01:19:21 user.info) 01:19:40 2003/01/21 IDS:231 ID:5040 IP Addr:Src.80.80.2.182:45835 Dst.15.7.28.50:80 Record ID:1004915 Alarm Details:/cgi-bin/perl?

Good luck

Regards

Gert

pgallati · ‎01-24-2003

Hi Gert

Thank you very much. I will try this as fast as I can.

Thanks again and have a nice weekend.

Regards.

Patrik

facundog · ‎02-24-2003

I tried with the syslog client in the CSPM and it worked.

Now we are upgrading to VMS, do you know if it includes the syslog client or should I keep and external product?