Press "Enter" to skip to content

Posts published in “SIEM”

LogRhythm Remote Windows Log Collection Integration with Symantec SEPM MS SQL DB


This post describes how to configure LogRhythm Agnet to collect the Symantec SEPM logs through MS SQL DB. Method 1 – Syslog Forwarding 1  This is traditional way to forward logs from SEPM to Syslog servers, such as ArcSight, Splunk, Qradar, LogRhythm, etc.  Note: SEPM does not support multiple syslog servers. Only one host can be configured and supported. Procedure Log in to your Symantec Endpoint Protection Manager system. In the left pane, click the Admin icon.…

Forward System and App logs to Papertrail – Cloud Log Management


Papertrail is part of SolarWinds Cloud™, the next evolution of our Software-as-a-Service (SaaS) portfolio for monitoring cloud-native applications and infrastructures. It does provide a free plan with following features or limitations: 50 MB/month 48 hours search 7 days archive Unlimited systems Unlimited users 1. Setup Linux Syslog Daemon to Send logs to Papertrail Run the install script wget -qO - --header="X-Papertrail-Token: ?xyy6KcSF3XguJCUpD?" \ | sudo bash This script will make the syslog daemon send…

SIEM System Use Cases


Working on LogRhythm - Cloud SIEM project. LogRhythm's SIEM solution combines enterprise log management, security analytics, user entity and behavioral analytics (UEBA), network traffic and behavioral analytics (NTBA) and security automation and orchestration. That integrated approach can make for efficient security operations, from threat detection to incident response.

Because SIEM is a core security infrastructure with access to data from across the enterprise, there are a large variety of SIEM use cases. Below are common SIEM use case examples, from traditional uses such as compliance, to cutting edge use cases such as insider threat detection and IoT security.

The rocket-fast Syslog Server – Rsyslog Client and Server Configuration


Rsyslog is an Open Source logging program, which is the most popular logging mechanism in a huge number of Linux distributions. It's also the default logging service in CentOS 7 or RHEL 7. Rsyslog daemon in CentOS can be configured to run as a server in order collect log messages from multiple network devices. In this post, I am using two CentOS7 linux machines to test Rsyslog as server and client.


Client machine will send out local logs to remote central syslog server
Both machines are running on CentOS7.

Easily Deploy ELK into CentOS 7

The Elastic Stack — formerly known as the ELK Stack — is a collection of open-source software produced by Elastic which allows you to search, analyze, and visualize logs generated from any source in any format, a practice known as centralized logging. Centralized logging can be very useful when attempting to identify problems with your servers or applications, as it allows you to search through all of your logs in a single place. It’s also useful because it allows you to identify issues that span multiple servers by correlating their logs during a specific time frame.

The Elastic Stack has four main components:

  • Elasticsearch: a distributed RESTful search engine which stores all of the collected data.
  • Logstash: the data processing component of the Elastic Stack which sends incoming data to Elasticsearch.
  • Kibana: a web interface for searching and visualizing logs.
  • Beats: lightweight, single-purpose data shippers that can send data from hundreds or thousands of machines to either Logstash or Elasticsearch.

Using NXLog to Collect Windows Event Logs


There are a lot of syslog collectors for Windows, but when it comes to stability and features, NXlog has the best chances to fulfill all the requirements.

Windows EventLog allows multi-line messages, so this text is a lot more readable and nicely formatted by spaces, tabs and line-breaks as can be seen in Event Viewer. Because syslog only reads/writes single-line messages, this formatting must be stripped of the EventLog message. In doing so, we lose the meta-data. NXlog is capable of reading these fields, recognize the structure and forward these remotely (or act on them for alerting purposes), thus sparing you time and resources. So, if you use the NXlog framework (client/server) there will be no need to spend time writing patterns to extract usernames, IP addresses and similar meta-data.