Exabeam Site Collector for SaaSExabeam Site Collector

Table of Contents

Filtering Incoming Syslog Events in Exabeam Site Collector

For known threats in high volume log scenarios, you can apply a filter on inbound syslog events to reduce the amount of data sent to your SaaS deployment. You will edit the input configuration file with the filter string. Filtering will capture syslog events with known threat patterns. It will not capture events using "not match" parameters (for example, filtering will not capture for "X != event").

  1. SSH to the host of your site collector and create a back up of the configuration file to your home folder.

    cp   /opt/logstash/conf.d/syslog2kafka.conf  ~/01-syslog-input.conf.orig
  2. Append the filter code to /opt/logstash/conf.d/syslog2kafka.conf. In this example, the filter uses "drop-string-" and "drop-string-2" as the filter.

    filter {
        if "drop-string-" in [message] or “drop-string-2" in [message] {
            drop { }
        }
    }
  3. Restart the syslog service.

    sudo systemctl restart logstash
    
    # Verify service status
    sudo systemctl status logstash

    Use sudo journalctl -e -u logstash to display the syslog status log. A successful restart will resemble the log records below, ending with a Successfully started record.

    Mar 25 20:23:57 dl docker[21481]: [2019-03-25T20:23:57,726][INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"0.0.0.0:514"}
    Mar 25 20:23:57 dl docker[21481]: [2019-03-25T20:23:57,731][INFO ][logstash.inputs.tcp      ] Starting tcp input listener {:address=>"0.0.0.0:515"}
    Mar 25 20:23:58 dl docker[21481]: [2019-03-25T20:23:58,229][INFO ][logstash.pipeline        ] Pipeline main started
    Mar 25 20:23:58 dl docker[21481]: [2019-03-25T20:23:58,233][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"0.0.0.0:514"}
    Mar 25 20:23:58 dl docker[21481]: [2019-03-25T20:23:58,253][INFO ][logstash.inputs.udp      ] UDP listener started {:address=>"0.0.0.0:514", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}
    Mar 25 20:23:58 dl docker[21481]: [2019-03-25T20:23:58,268][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
  4. Verify the filter is working by sending the filter string to site collector's ingest port. In this example, the filter uses drop-string- and drop-string-2 as the filter.

    logger -n localhost -T -P 514 test message from other system 1; logger -n localhost -T -P 514 test message from other system 2;logger -n localhost -T -P 514 test message drop-string-1 1; logger -n localhost -T -P 514 test message drop-string-2 1; logger -n localhost -T -P 514 test message drop-string-1 2; logger -n localhost -T -P 514 test message drop-string-2 2; logger -n localhost -T -P 514 test message from other system 3;