Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SSIM Syslog Collectors / Syslog Director

Created: 09 Feb 2012 | 4 comments
robmoore's picture

Hi All

I'm looking for clarification around SSIM's abaility around syslog protocols.

Can SSIM's Syslog collectors and syslog director handle new and emerging syslog protocols such as TLS & RELP.

I'm trying to confirm that events sent via TLS to a SSIM Syslog Collector and or Syslog Director can be succesfully managed by the collector.

Many thanks

 

Rob

Comments 4 CommentsJump to latest comment

Avkash K's picture

Hi robmoore,

 

Can you please tell me which of your products are sending such TLS & RELP Syslogs.???

Regards,

Avkash K

robmoore's picture

Hi Avkash

We are currently at the the design stage. 

We are designing a Syslog Server that will be hardened and which will receive syslogs from 'Devices' and send them on via TLS to SSIM.

Its around whether SSIM can 'understand' the TLS or RELP protocols.

Regards

 

Rob

mathell's picture

For those interested, I think this is the RFC:

http://www.rfc-editor.org/rfc/rfc5425.txt

I have not seen any indication that it is supported, not without some hidden magic. I assume you are using rsyslog Rob? We have a pretty extensive rsyslog implementation, but it is using UDP.  TLS would be wonderful.

FWIW though, the SSIM Snare parser for Windows is pretty low quality.  All Windows 2008 events are parsed with the catch-all rule, so only the message header is currently parsed (I am still working with Symantec on this)

Also, keep in mind that the SSIM doesn't appear to support syslog [relay] consistently.  The Unix collector derives the collection device IP from the source IP address of the connection itself (but it derives the collection hostname from the actual message...so they don't match). It derives the logging device name and logging device IP from the message.

The Windows collector (Snare) derives both the collection device IP and collection hostname from the connection, but the logging device name is parsed from the message.  It doesn't create an entry at all for logging device IP.

gilbert08's picture

if you are using syslog sensor, as long as your device is forwarding messages in raw logs format it will be interpreted by SSIM.