Syslog collector - Log sources being wrongly identified as the collector itself

Contributor

We have a scenario where we have a syslog collector receiving a number of syslog messages from different sources. When these are ingested into Sentinel the hostname/computer is being set to the collector rather than the original source of the syslog. What could be causing this? Any help would be much appreciated.

2 Replies

@tipper1510 

This example Parser may help, or start you on the right path (assuming the source Computer is in your Syslog, you may only have the IP address of it - it can depend on the facility or source you are using)

Developing ASim Syslog Authentication Parser for Microsoft Sentinel  | Towards Dev


let SyslogAuthenticationSuccess = Syslog
    | where SyslogMessage contains 'accepted password'
    | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress ' port ' IpPort ' ' Protocol
    | extend
        EventVendor = 'Linux',
        EventProduct = 'Syslog',
        EventCount=int(1),
        EventSchemaVersion='0.1.0',
        EventResult = 'Success',
        EventStartTime = TimeGenerated,
        EventEndTime= TimeGenerated,
        EventType= 'Logon',
        SrcDvcId=tostring(Computer),
        SrcDvcHostname =tostring(HostName),
        SrcDvcOs=tostring(Computer)
    | project-rename EventOriginalUid =ProcessID, LogonMethod  = ProcessName
    | project-reorder
        TimeGenerated,
        EventProduct,
        EventOriginalUid,
        EventResult,
        EventStartTime,
        EventEndTime,
        LogonMethod,
        SrcDvcId,
        SrcDvcHostname,
        SrcDvcOs;
let SyslogAuthenticationFailed = Syslog
    | where Facility has 'authpriv'
        and SeverityLevel has 'info'
        and SyslogMessage contains 'Failed password for'
    | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IPAddress ' port ' IpPort ' ' Protocol
    | extend
        EventVendor = 'Linux',
        EventProduct = 'Syslog',
        EventCount=int(1),
        EventSchemaVersion='0.1.0',
        EventResult = iff (Facility == 0, 'Success', 'Failure'),
        EventOriginalResultDetails = coalesce(Facility, SeverityLevel),
        EventStartTime = TimeGenerated,
        EventEndTime= TimeGenerated,
        EventType= 'Logon',
        SrcDvcId=tostring(Computer),
        SrcDvcHostname =tostring(HostName),
        SrcDvcOs=tostring(SourceSystem),
        EventOriginalUid=tostring(ProcessID)
    | project-rename LogonMethod  = ProcessName
    | project-reorder
        TimeGenerated,
        EventProduct,
        EventOriginalUid,
        EventResult,
        EventOriginalResultDetails,
        EventStartTime,
        EventEndTime,
        LogonMethod,
        SrcDvcId,
        SrcDvcHostname,
        SrcDvcOs
    | where TargetUserName !contains 'invalid user';
let SyslogAuthenticationFailedwithInvalidUser = Syslog
    | where SyslogMessage contains 'failed password' and SeverityLevel == 'info'
    | parse SyslogMessage with Activity: string ' for ' TargetUserName ' from ' IpAddress  ' port ' IpPort  ' ' Protocol
    | where TargetUserName contains 'invalid user'
    | extend tmp_Username = split(TargetUserName, ' ')
    | extend TargetUserName = tostring(tmp_Username[2])
    | extend
        EventVendor = 'Linux',
        EventProduct = 'Syslog',
        EventCount=int(1),
        EventSchemaVersion='0.1.0',
        EventResult = iff (Facility == 0, 'Success', 'Failure'),
        EventStartTime = TimeGenerated,
        EventEndTime= TimeGenerated,
        EventType= 'Logon',
        SrcDvcId=tostring(Computer),
        SrcDvcHostname =tostring(HostName),
        SrcDvcOs=tostring(Computer)
    | project-rename EventOriginalUid =ProcessID, LogonMethod  = ProcessName
    | project-reorder
        TimeGenerated,
        EventProduct,
        EventOriginalUid,
        EventResult,
        EventStartTime,
        EventEndTime,
        LogonMethod,
        SrcDvcId,
        SrcDvcHostname,
        SrcDvcOs;
union
    SyslogAuthenticationFailed,
    SyslogAuthenticationSuccess,
    SyslogAuthenticationFailedwithInvalidUser

 

 

Hello @tipper1510,

 

Check facilities. The Syslog forwarder itself can ingest different logs (for example, cron, user and daemon facilities).