scalyr · jmorascalyr · Oct 25, 2024
diff --git a/configs/syslog-ng.conf b/configs/syslog-ng.conf
@@ -0,0 +1,173 @@
+@version: 4.4
+@include "scl.conf"
+
+
+# Global Options
+options {
+   create-dirs(yes);  # Create directories for log files if they do not exist
+   dir-perm(0755);    # Set permissions for the directories to 0755
+   perm(0755);        # Set permissions for the log files to 0755
+   keep-timestamp(yes);  # Retain timestamp information in logs
+   time-reap(3);      # Reap old log files every 3 seconds
+   log-fifo-size(4000000);  # Set the size of the FIFO buffer to 4 MB
+   #use-dns(yes);    # Optional: Use DNS to resolve hostnames (currently disabled)
+   stats(level(4));  # Set the level of statistics collected to 4 (detailed)
+};
+
+
+# Sources
+### Produce syslog-ng system and internal logs
+source s_syslog {
+   system();  # Collect system logs
+   internal();  # Collect internal syslog-ng logs
+};
+
+
+### Monitor /var/syslog-ng/syslogSystem.log
+source s_syslogFileMon {
+   file("/var/syslog-ng/syslogSystem.log"
+       follow-freq(1)  # Check for new log entries every second
+   );
+};
+
+
+### Monitor /var/log/ directory and subdirectories for all *.log files
+source s_nonrepDirMon {
+   wildcard-file(
+       base-dir("/var/log/")  # Base directory for log files
+       filename-pattern("*.log")  # File pattern to match all .log files
+       recursive(yes)  # Recursively search subdirectories
+       follow-freq(1)  # Check for new log entries every second
+   );
+};
+
+
+### Monitor TCP port 514 for Palo Alto Traffic data
+source s_forti_514 {
+   udp(
+       port(514)  # Listen on TCP port 5514
+       ip("0.0.0.0")  # Bind to all available network interfaces
+       so_rcvbuf(425984)  # Set receive buffer size to 416 KB
+       so_sndbuf(851968)  # Set send buffer size to 832 KB
+       so_keepalive(yes)  # Enable TCP keepalive to check for network issues
+   );
+};
+
+
+# Template Functions
+### Template t_syslog
+template-function t_syslog '$(format-json --scope none , _message="$MESSAGE" dataSource.category="security" dataSource.vendor="Syslog-NG" dataSource.name="Syslog-NG System" logfile="$FILE_NAME" source="$SOURCE")';
+
+
+### Template t_nonrepeditive
+template-function t_nonrepetitive '$(format-json --scope none , _message="$MESSAGE" dataSource.category="security" dataSource.vendor="Linux" dataSource.name="Nonrepetitive Logs" logfile="$FILE_NAME" source="$SOURCE")';
+
+
+# Destinations
+### Write syslog-ng system and internal log to file
+destination d_syslog_file {
+   file(
+       "/var/syslog-ng/syslogSystem.log"
+       template("${C_ISODATE} ${HOST} ${PROGRAM} ${MESSAGE}\n")  # Format log entries with timestamp, host, program, and message
+   );
+};
+
+
+### Forward system and internal syslog-ng file to AI SIEM
+destination d_hec_syslog {
+   http(
+       url("https://ingest.us1.sentinelone.net/services/collector/raw?parser=json")  # URL for sending logs to AI SIEM
+       content-compression("gzip")  # Compress log data with gzip
+       headers(
+           "Authorization: Bearer {token}",  # Authorization token
+           "Content-Type: text/plain"  # Content type for the request
+       )
+       body("$(t_syslog)")  # Send logs formatted as JSON using t_syslog template
+       persist-name("hec_syslog")  # Unique name for persistence
+       batch-lines(99999)  # Maximum number of lines per batch
+       batch-bytes(9000000)  # Maximum size of each batch in bytes (9 MB)
+       batch-timeout(500)  # Timeout for batch processing in milliseconds
+       disk-buffer(
+           mem-buf-size(2147483647)  # Maximum memory buffer size
+           disk-buf-size(10485760000)  # Maximum disk buffer size (10 GB)
+           reliable(yes)  # Enable reliable buffering
+           dir("/var/syslogBuffer/syslog")  # Directory for disk buffer
+       )
+   );
+};
+
+
+
+
+
+### Forward additional non-repetitive logs to AI SIEM
+destination d_hec_nonrep {
+   http(
+       url("https://ingest.us1.sentinelone.net/services/collector/raw?parser=json")  # URL for sending logs to AI SIEM
+       content-compression("gzip")  # Compress log data with gzip
+       headers(
+           "Authorization: Bearer {token}",  # Authorization token
+           "Content-Type: text/plain"  # Content type for the request
+       )
+       body("$(t_nonrepetitive)")  # Send logs formatted as JSON using t_nonrepetitive template
+       persist-name("hec_nonrep")  # Unique name for persistence
+       batch-lines(99999)  # Maximum number of lines per batch
+       batch-bytes(9000000)  # Maximum size of each batch in bytes (9 MB)
+       batch-timeout(500)  # Timeout for batch processing in milliseconds
+       disk-buffer(
+           mem-buf-size(2147483647)  # Maximum memory buffer size
+           disk-buf-size(104857600000)  # Maximum disk buffer size (100 GB)
+           reliable(yes)  # Enable reliable buffering
+           dir("/var/syslogBuffer/nonrepetitive")  # Directory for disk buffer
+       )
+   );
+};
+
+
+### Forward known data with pre-configured parser to AI SIEM
+destination d_hec_forti {
+   http(
+       url("https://ingest.us1.sentinelone.net/services/collector/raw?parser=fortigate")  # URL for sending Cisco ASA logs to AI SIEM
+       content-compression("gzip")  # Compress log data with gzip
+       headers(
+           "Authorization: Bearer {token}",  # Authorization token
+           "Content-Type: text/plain"  # Content type for the request
+       )
+       body("${MESSAGE}\n")  # Send logs as plain text with a newline
+       persist-name("hec_cisco")  # Unique name for persistence
+       batch-lines(99999)  # Maximum number of lines per batch
+       batch-bytes(9000000)  # Maximum size of each batch in bytes (9 MB)
+       batch-timeout(500)  # Timeout for batch processing in milliseconds
+       disk-buffer(
+           mem-buf-size(2147483647)  # Maximum memory buffer size
+           disk-buf-size(10485760000)  # Maximum disk buffer size (10 GB)
+           reliable(yes)  # Enable reliable buffering
+           dir("/var/syslogBuffer/fortigate_logs")  # Directory for disk buffer
+    prealloc(yes)  # Preallocate above disk-buffer directory for syslog-ng
+
+)
+   );
+};
+
+
+# Logging Statements
+
+
+### Send syslog-ng system and internal log to AI SIEM
+log {
+   source(s_syslog);  # Source for monitoring syslog file
+   destination(d_hec_syslog);  # Destination for forwarding logs to AI SIEM
+};
+
+
+### Send assorted non-repetitive *.log files to AI SIEM
+log {
+   source(s_nonrepDirMon);  # Source for monitoring non-repetitive log files
+   destination(d_hec_nonrep);  # Destination for forwarding logs to AI SIEM
+};
+
+
+log {
+   source(s_forti_514);  # Source for Palo Alto logs
+   destination(d_hec_forti);  # Destination for forwarding Cisco ASA logs to AI SIEM
+};