Forum Discussion
tipper1510
Jan 11, 2023Brass Contributor
Syslog collector - Log sources being wrongly identified as the collector itself
We have a scenario where we have a syslog collector receiving a number of syslog messages from different sources. When these are ingested into Sentinel the hostname/computer is being set to the colle...
Clive_Watson
Jan 11, 2023Bronze Contributor
tipper1510
This example Parser may help, or start you on the right path (assuming the source Computer is in your Syslog, you may only have the IP address of it - it can depend on the facility or source you are using)
Developing ASim Syslog Authentication Parser for Microsoft Sentinel  | Towards Dev
let SyslogAuthenticationSuccess = Syslog
| where SyslogMessage contains 'accepted password'
| parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol
| extend
EventVendor = 'Linux',
EventProduct = 'Syslog',
EventCount=int(1),
EventSchemaVersion='0.1.0',
EventResult = 'Success',
EventStartTime = TimeGenerated,
EventEndTime= TimeGenerated,
EventType= 'Logon',
SrcDvcId=tostring(Computer),
SrcDvcHostname =tostring(HostName),
SrcDvcOs=tostring(Computer)
| project-rename EventOriginalUid =ProcessID, LogonMethod = ProcessName
| project-reorder
TimeGenerated,
EventProduct,
EventOriginalUid,
EventResult,
EventStartTime,
EventEndTime,
LogonMethod,
SrcDvcId,
SrcDvcHostname,
SrcDvcOs;
let SyslogAuthenticationFailed = Syslog
| where Facility has 'authpriv'
and SeverityLevel has 'info'
and SyslogMessage contains 'Failed password for'
| parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IPAddress ' port ' IpPort ' ' Protocol
| extend
EventVendor = 'Linux',
EventProduct = 'Syslog',
EventCount=int(1),
EventSchemaVersion='0.1.0',
EventResult = iff (Facility == 0, 'Success', 'Failure'),
EventOriginalResultDetails = coalesce(Facility, SeverityLevel),
EventStartTime = TimeGenerated,
EventEndTime= TimeGenerated,
EventType= 'Logon',
SrcDvcId=tostring(Computer),
SrcDvcHostname =tostring(HostName),
SrcDvcOs=tostring(SourceSystem),
EventOriginalUid=tostring(ProcessID)
| project-rename LogonMethod = ProcessName
| project-reorder
TimeGenerated,
EventProduct,
EventOriginalUid,
EventResult,
EventOriginalResultDetails,
EventStartTime,
EventEndTime,
LogonMethod,
SrcDvcId,
SrcDvcHostname,
SrcDvcOs
| where TargetUserName !contains 'invalid user';
let SyslogAuthenticationFailedwithInvalidUser = Syslog
| where SyslogMessage contains 'failed password' and SeverityLevel == 'info'
| parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol
| where TargetUserName contains 'invalid user'
| extend tmp_Username = split(TargetUserName, ' ')
| extend TargetUserName = tostring(tmp_Username[2])
| extend
EventVendor = 'Linux',
EventProduct = 'Syslog',
EventCount=int(1),
EventSchemaVersion='0.1.0',
EventResult = iff (Facility == 0, 'Success', 'Failure'),
EventStartTime = TimeGenerated,
EventEndTime= TimeGenerated,
EventType= 'Logon',
SrcDvcId=tostring(Computer),
SrcDvcHostname =tostring(HostName),
SrcDvcOs=tostring(Computer)
| project-rename EventOriginalUid =ProcessID, LogonMethod = ProcessName
| project-reorder
TimeGenerated,
EventProduct,
EventOriginalUid,
EventResult,
EventStartTime,
EventEndTime,
LogonMethod,
SrcDvcId,
SrcDvcHostname,
SrcDvcOs;
union
SyslogAuthenticationFailed,
SyslogAuthenticationSuccess,
SyslogAuthenticationFailedwithInvalidUser