reswob4 Honored Contributor.
Honored Contributor.
247 views

Snort Syslog connector not populating original device

I am using a syslog connector (configured per the SmartConnector for Snort Syslog Configuration Guide) on the Connector Appliance to received logs from multiple Snort devices across our network.  We first set it up so that each Snort device sent alerts and logs directly from each sensor to the ConApp.  However, while reviewing the events in the ESM, it became apparent that whilst the source/attacker, destination/target and agent IP and host name were labeled, the device IP and hostname spots were not filled in.  This presented a problem because it prevented us from identifying which sensor triggered each alert.

So we created a central syslog server, reconfigured each snort sensor to send their alerts to that device and configured the central syslog server to forward all messages to the ConApp.  I thought that by doing this, the parser would place the originating device information into the event.  However, it does not.  Again, there is no way to determine which sensor detected which alert.

My question is this:  Is anyone else having this problem?  Is there a configuration step I missed, in either configuring syslog on the snort devices, the central syslog server and/or the conapp?  Something else?

Thanks

Craig

Labels (2)
Tags (2)
0 Likes
Reply
2 Replies
Highlighted
aaron.wayne@hpe1 Absent Member.
Absent Member.

Re: Snort Syslog connector not populating original device

Craig,

Turn on raw event logging.  Inside console do the following

1. Go to connectors find the connector then go to the Default tab for the connector

2. go to processing change preserve raw event from no to yes

3. restart the connector

run a channel for the events if feeding straight to esm just run it on the connector and look at the raw event data to verify it is there.

Sounds like a parsing issue in general.  If the data you are looking for is there in the raw event but just not being parsed correctly create a support ticket with support and show them your findings.  They are pretty good at providing you with a parser override if need be.  In this case though you may not need to engage support sounds like an easy parser override to write; however, if you dont want to dedicate the time and you already pay for support engage them.

Hope this helps!

0 Likes
Reply
reswob4 Honored Contributor.
Honored Contributor.

Re: Snort Syslog connector not populating original device

Turns out that the SC I was using in that container wasn't upgraded.

I upgraded to the latest (7.0.2 as of this writing) and that fixed it.  (well I also tried to upload a parser override, but I don't think it's working.  I think the upgraded SC is doing the correct parsing, not my override.)

Anyway, I'm marking this as assumed answered cause... duh.. upgrade.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.