Configure syslog on a collector
- In Threat Monitor, navigate to Admin > Manage Collectors.
- In the sensors list, select a collector, and then click Edit.
- Click the Syslog tab.
- Click the Log Destinations tab, and then click Add.
- In the Destination Setup window, select Both File and Elastic SOC.
- Enter a unique name based on the data source.
- Enter a file storage location on the collector, select the appropriate plugin, and then click Save.
- Click the Filters tab, and then click Add.
- Enter a unique filter name based on the data source.
- To set your filter conditions, click Add Row.
- From the Condition drop-down list, select your condition.
- From the Filter drop-down list, select an appropriate filter based on unique identifiers found in the logs.
- In the Value field, enter a unique identifier, and then click Save.
- Click the Actions tab, and then click Add.
- Add four rows, and then make the following selections from the Type and Value drop-down lists:
- Destination - Select the file storage location on the collector (This is the elastic SOC destination established in step 5 above)
- Destination - Select the file storage location on the collector (This is the file destination established in step 5 above)
To save your settings, click Apply changes.
- Click the Status tab to view the number of log entries in both destinations.
When entering a name, do not use spaces.
This is typically located in /var/log/<filename>.log. For example, if this were a Fortigate firewall, the unique name would be fortigate and the path to the log would be /var/log/fortigate.log. You must specify a log destination for each plugin.
The purpose of this filter is to give Threat Monitor something unique that it can match in the logs so it knows what log it is coming from. In the example above, cisco-asa will always have %ASA in the message, or another type of device may always have a specific IP to match. The best way to determine what filter to use, is to look at the logs that are being sent over to find something unique and specific.