Forum Discussion
Syslog collector - Log sources being wrongly identified as the collector itself
We have a scenario where we have a syslog collector receiving a number of syslog messages from different sources. When these are ingested into Sentinel the hostname/computer is being set to the collector rather than the original source of the syslog. What could be causing this? Any help would be much appreciated.
- mikhailfSteel Contributor
Hello tipper1510,
Check facilities. The Syslog forwarder itself can ingest different logs (for example, cron, user and daemon facilities).
- Clive_WatsonBronze Contributor
tipper1510
This example Parser may help, or start you on the right path (assuming the source Computer is in your Syslog, you may only have the IP address of it - it can depend on the facility or source you are using)Developing ASim Syslog Authentication Parser for Microsoft Sentinel | Towards Dev
let SyslogAuthenticationSuccess = Syslog | where SyslogMessage contains 'accepted password' | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol | extend EventVendor = 'Linux', EventProduct = 'Syslog', EventCount=int(1), EventSchemaVersion='0.1.0', EventResult = 'Success', EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventType= 'Logon', SrcDvcId=tostring(Computer), SrcDvcHostname =tostring(HostName), SrcDvcOs=tostring(Computer) | project-rename EventOriginalUid =ProcessID, LogonMethod = ProcessName | project-reorder TimeGenerated, EventProduct, EventOriginalUid, EventResult, EventStartTime, EventEndTime, LogonMethod, SrcDvcId, SrcDvcHostname, SrcDvcOs; let SyslogAuthenticationFailed = Syslog | where Facility has 'authpriv' and SeverityLevel has 'info' and SyslogMessage contains 'Failed password for' | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IPAddress ' port ' IpPort ' ' Protocol | extend EventVendor = 'Linux', EventProduct = 'Syslog', EventCount=int(1), EventSchemaVersion='0.1.0', EventResult = iff (Facility == 0, 'Success', 'Failure'), EventOriginalResultDetails = coalesce(Facility, SeverityLevel), EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventType= 'Logon', SrcDvcId=tostring(Computer), SrcDvcHostname =tostring(HostName), SrcDvcOs=tostring(SourceSystem), EventOriginalUid=tostring(ProcessID) | project-rename LogonMethod = ProcessName | project-reorder TimeGenerated, EventProduct, EventOriginalUid, EventResult, EventOriginalResultDetails, EventStartTime, EventEndTime, LogonMethod, SrcDvcId, SrcDvcHostname, SrcDvcOs | where TargetUserName !contains 'invalid user'; let SyslogAuthenticationFailedwithInvalidUser = Syslog | where SyslogMessage contains 'failed password' and SeverityLevel == 'info' | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol | where TargetUserName contains 'invalid user' | extend tmp_Username = split(TargetUserName, ' ') | extend TargetUserName = tostring(tmp_Username[2]) | extend EventVendor = 'Linux', EventProduct = 'Syslog', EventCount=int(1), EventSchemaVersion='0.1.0', EventResult = iff (Facility == 0, 'Success', 'Failure'), EventStartTime = TimeGenerated, EventEndTime= TimeGenerated, EventType= 'Logon', SrcDvcId=tostring(Computer), SrcDvcHostname =tostring(HostName), SrcDvcOs=tostring(Computer) | project-rename EventOriginalUid =ProcessID, LogonMethod = ProcessName | project-reorder TimeGenerated, EventProduct, EventOriginalUid, EventResult, EventStartTime, EventEndTime, LogonMethod, SrcDvcId, SrcDvcHostname, SrcDvcOs; union SyslogAuthenticationFailed, SyslogAuthenticationSuccess, SyslogAuthenticationFailedwithInvalidUser