Forum Discussion

tipper1510's avatar
tipper1510
Brass Contributor
Jan 11, 2023

Syslog collector - Log sources being wrongly identified as the collector itself

We have a scenario where we have a syslog collector receiving a number of syslog messages from different sources. When these are ingested into Sentinel the hostname/computer is being set to the collector rather than the original source of the syslog. What could be causing this? Any help would be much appreciated.

  • mikhailf's avatar
    mikhailf
    Steel Contributor

    Hello tipper1510,

     

    Check facilities. The Syslog forwarder itself can ingest different logs (for example, cron, user and daemon facilities). 

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    tipper1510 

    This example Parser may help, or start you on the right path (assuming the source Computer is in your Syslog, you may only have the IP address of it - it can depend on the facility or source you are using)

    Developing ASim Syslog Authentication Parser for Microsoft Sentinel  | Towards Dev


    let SyslogAuthenticationSuccess = Syslog
        | where SyslogMessage contains 'accepted password'
        | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol
        | extend
            EventVendor = 'Linux',
            EventProduct = 'Syslog',
            EventCount=int(1),
            EventSchemaVersion='0.1.0',
            EventResult = 'Success',
            EventStartTime = TimeGenerated,
            EventEndTime= TimeGenerated,
            EventType= 'Logon',
            SrcDvcId=tostring(Computer),
            SrcDvcHostname =tostring(HostName),
            SrcDvcOs=tostring(Computer)
        | project-rename EventOriginalUid =ProcessID, LogonMethod  = ProcessName
        | project-reorder
            TimeGenerated,
            EventProduct,
            EventOriginalUid,
            EventResult,
            EventStartTime,
            EventEndTime,
            LogonMethod,
            SrcDvcId,
            SrcDvcHostname,
            SrcDvcOs;
    let SyslogAuthenticationFailed = Syslog
        | where Facility has 'authpriv'
            and SeverityLevel has 'info'
            and SyslogMessage contains 'Failed password for'
        | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IPAddress ' port ' IpPort ' ' Protocol
        | extend
            EventVendor = 'Linux',
            EventProduct = 'Syslog',
            EventCount=int(1),
            EventSchemaVersion='0.1.0',
            EventResult = iff (Facility == 0, 'Success', 'Failure'),
            EventOriginalResultDetails = coalesce(Facility, SeverityLevel),
            EventStartTime = TimeGenerated,
            EventEndTime= TimeGenerated,
            EventType= 'Logon',
            SrcDvcId=tostring(Computer),
            SrcDvcHostname =tostring(HostName),
            SrcDvcOs=tostring(SourceSystem),
            EventOriginalUid=tostring(ProcessID)
        | project-rename LogonMethod  = ProcessName
        | project-reorder
            TimeGenerated,
            EventProduct,
            EventOriginalUid,
            EventResult,
            EventOriginalResultDetails,
            EventStartTime,
            EventEndTime,
            LogonMethod,
            SrcDvcId,
            SrcDvcHostname,
            SrcDvcOs
        | where TargetUserName !contains 'invalid user';
    let SyslogAuthenticationFailedwithInvalidUser = Syslog
        | where SyslogMessage contains 'failed password' and SeverityLevel == 'info'
        | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress  ' port ' IpPort  ' ' Protocol
        | where TargetUserName contains 'invalid user'
        | extend tmp_Username = split(TargetUserName, ' ')
        | extend TargetUserName = tostring(tmp_Username[2])
        | extend
            EventVendor = 'Linux',
            EventProduct = 'Syslog',
            EventCount=int(1),
            EventSchemaVersion='0.1.0',
            EventResult = iff (Facility == 0, 'Success', 'Failure'),
            EventStartTime = TimeGenerated,
            EventEndTime= TimeGenerated,
            EventType= 'Logon',
            SrcDvcId=tostring(Computer),
            SrcDvcHostname =tostring(HostName),
            SrcDvcOs=tostring(Computer)
        | project-rename EventOriginalUid =ProcessID, LogonMethod  = ProcessName
        | project-reorder
            TimeGenerated,
            EventProduct,
            EventOriginalUid,
            EventResult,
            EventStartTime,
            EventEndTime,
            LogonMethod,
            SrcDvcId,
            SrcDvcHostname,
            SrcDvcOs;
    union
        SyslogAuthenticationFailed,
        SyslogAuthenticationSuccess,
        SyslogAuthenticationFailedwithInvalidUser

     

     

Resources