- 18 Oct 2020
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
Inject a Token into SIEM Output Using a Syslog Relay
- Updated on 18 Oct 2020
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
The following configuration can be used to inject a “token” into the RFC3614 (BSD syslog) messages sent by the SecureCircle server when a SIEM provider is configured.
docker-compose.yml
Insert the following under the services: section of the docker-compose.yml configuration for your deployment:
syslog-ng-relay:
restart: always
image: balabit/syslog-ng:latest
environment:
SYSLOG_TOKEN: CHANGEME
SYSLOG_TCP_OUTPUT_HOST: CHANGEME
SYSLOG_TCP_OUTPUT_PORT: CHANGEME
volumes:
- ./syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf
expose:
- "601" # TCP
syslog-ng.conf
This configuration should be placed into the same directory with your docker-compose.yml configuration.
It can also be used with an external syslog-ng server. The SYSLOG_TOKEN, SYSLOG_TCP_OUTPUT_HOST, and SYSLOG_TCP_OUTPUT_HOST environment variables can be used for configuration.
@version: 3.25
options {
keep-hostname(yes);
use-dns(no);
};
template t_outputFormat {
template("<${PRI}>${DATE} ${HOST} ${PROGRAM}: `SYSLOG_TOKEN` $MSG");
};
source s_tcpInput {
network(ip("0.0.0.0") transport("tcp") port("601"));
};
destination d_tcpOutput {
tcp("`SYSLOG_TCP_OUTPUT_HOST`" port(`SYSLOG_TCP_OUTPUT_PORT`) template(t_outputFormat));
};
log {
source(s_tcpInput);
destination(d_tcpOutput);
};
For Datadog
Replace the t_outputFormat template contents with:
template t_outputFormat {
template("`SYSLOG_TOKEN` <${PRI}>${DATE} ${HOST} ${PROGRAM}: $MSG");
};
Server configuration
Add a new Syslog SIEM provider
- If syslog-ng is configured in docker-compose.yml the Host field can be set to the service’s name (syslog-ng-relay). Otherwise set this to your relay server’s IP address or hostname.