Jan 11 2023 03:51 AM
We have a scenario where we have a syslog collector receiving a number of syslog messages from different sources. When these are ingested into Sentinel the hostname/computer is being set to the collector rather than the original source of the syslog. What could be causing this? Any help would be much appreciated.
Jan 11 2023 06:40 AM
@tipper1510
This example Parser may help, or start you on the right path (assuming the source Computer is in your Syslog, you may only have the IP address of it - it can depend on the facility or source you are using)
Developing ASim Syslog Authentication Parser for Microsoft Sentinel | Towards Dev
let SyslogAuthenticationSuccess = Syslog
| where SyslogMessage contains 'accepted password'
| parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol
| extend
EventVendor = 'Linux',
EventProduct = 'Syslog',
EventCount=int(1),
EventSchemaVersion='0.1.0',
EventResult = 'Success',
EventStartTime = TimeGenerated,
EventEndTime= TimeGenerated,
EventType= 'Logon',
SrcDvcId=tostring(Computer),
SrcDvcHostname =tostring(HostName),
SrcDvcOs=tostring(Computer)
| project-rename EventOriginalUid =ProcessID, LogonMethod = ProcessName
| project-reorder
TimeGenerated,
EventProduct,
EventOriginalUid,
EventResult,
EventStartTime,
EventEndTime,
LogonMethod,
SrcDvcId,
SrcDvcHostname,
SrcDvcOs;
let SyslogAuthenticationFailed = Syslog
| where Facility has 'authpriv'
and SeverityLevel has 'info'
and SyslogMessage contains 'Failed password for'
| parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IPAddress ' port ' IpPort ' ' Protocol
| extend
EventVendor = 'Linux',
EventProduct = 'Syslog',
EventCount=int(1),
EventSchemaVersion='0.1.0',
EventResult = iff (Facility == 0, 'Success', 'Failure'),
EventOriginalResultDetails = coalesce(Facility, SeverityLevel),
EventStartTime = TimeGenerated,
EventEndTime= TimeGenerated,
EventType= 'Logon',
SrcDvcId=tostring(Computer),
SrcDvcHostname =tostring(HostName),
SrcDvcOs=tostring(SourceSystem),
EventOriginalUid=tostring(ProcessID)
| project-rename LogonMethod = ProcessName
| project-reorder
TimeGenerated,
EventProduct,
EventOriginalUid,
EventResult,
EventOriginalResultDetails,
EventStartTime,
EventEndTime,
LogonMethod,
SrcDvcId,
SrcDvcHostname,
SrcDvcOs
| where TargetUserName !contains 'invalid user';
let SyslogAuthenticationFailedwithInvalidUser = Syslog
| where SyslogMessage contains 'failed password' and SeverityLevel == 'info'
| parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol
| where TargetUserName contains 'invalid user'
| extend tmp_Username = split(TargetUserName, ' ')
| extend TargetUserName = tostring(tmp_Username[2])
| extend
EventVendor = 'Linux',
EventProduct = 'Syslog',
EventCount=int(1),
EventSchemaVersion='0.1.0',
EventResult = iff (Facility == 0, 'Success', 'Failure'),
EventStartTime = TimeGenerated,
EventEndTime= TimeGenerated,
EventType= 'Logon',
SrcDvcId=tostring(Computer),
SrcDvcHostname =tostring(HostName),
SrcDvcOs=tostring(Computer)
| project-rename EventOriginalUid =ProcessID, LogonMethod = ProcessName
| project-reorder
TimeGenerated,
EventProduct,
EventOriginalUid,
EventResult,
EventStartTime,
EventEndTime,
LogonMethod,
SrcDvcId,
SrcDvcHostname,
SrcDvcOs;
union
SyslogAuthenticationFailed,
SyslogAuthenticationSuccess,
SyslogAuthenticationFailedwithInvalidUser
Jan 11 2023 10:47 AM
Hello @tipper1510,
Check facilities. The Syslog forwarder itself can ingest different logs (for example, cron, user and daemon facilities).