Inject a Token into SIEM Output Using a Syslog Relay

The following configuration can be used to inject a “token” into the RFC3614 (BSD syslog) messages sent by the SecureCircle server when a SIEM provider is configured.

docker-compose.yml

Insert the following under the services: section of the docker-compose.yml configuration for your deployment:

  syslog-ng-relay:
    restart: always
    image: balabit/syslog-ng:latest
    environment:
      SYSLOG_TOKEN: CHANGEME
      SYSLOG_TCP_OUTPUT_HOST: CHANGEME
      SYSLOG_TCP_OUTPUT_PORT: CHANGEME
    volumes:
    - ./syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf
    expose:
    - "601" # TCP

syslog-ng.conf

This configuration should be placed into the same directory with your docker-compose.yml configuration.

It can also be used with an external syslog-ng server. The SYSLOG_TOKEN, SYSLOG_TCP_OUTPUT_HOST, and SYSLOG_TCP_OUTPUT_HOST environment variables can be used for configuration.

@version: 3.25

options {
  keep-hostname(yes);
  use-dns(no);
};

template t_outputFormat {
  template("<${PRI}>${DATE} ${HOST} ${PROGRAM}: `SYSLOG_TOKEN` $MSG");
};

source s_tcpInput {
  network(ip("0.0.0.0") transport("tcp") port("601"));
};

destination d_tcpOutput {
  tcp("`SYSLOG_TCP_OUTPUT_HOST`" port(`SYSLOG_TCP_OUTPUT_PORT`) template(t_outputFormat));
};

log {
  source(s_tcpInput);
  destination(d_tcpOutput);
};

For Datadog

Replace the t_outputFormat template contents with:

template t_outputFormat {
  template("`SYSLOG_TOKEN` <${PRI}>${DATE} ${HOST} ${PROGRAM}: $MSG");
};

Server configuration

Add a new Syslog SIEM provider

• If syslog-ng is configured in docker-compose.yml the Host field can be set to the service’s name (syslog-ng-relay). Otherwise set this to your relay server’s IP address or hostname.