Sending Cisco Syslogs to Elasticsearch: A simple guide

Posted by on Oct 31, 2017 in Log Auditing, NetEye, Syslog | 0 comments

Elasticsearch
Do you use Cisco’s network infrastructure? Would you like to view its logs through the syslog protocol in an Elasticsearch database? Find out below about the filters and templates needed for the Logstash setup.

As you probably already know, you need a Logstash instance in order to get indexed data into the Elasticsearch database. Cisco is a well-known network device provider, so it is crucial to have a workable solution to index the logs that can be retrieved from these devices.

Read More

How to send logs from servers in the cloud to NetEye?

Posted by on Jun 6, 2017 in Log Auditing, NetEye, Syslog | 0 comments

LogManagement_03

Keeping an offline copy of your logs does not only provide better visibility from the system management point of view, but also turns out to be extremely precious in case of a security incident during which your local copies have been affected.

As many of you might know, the Log Management module of NetEye offers a complete solution to manage logs, in line with the obligations intended by the data protection authority. Moreover, it provides a handy way to centrally manage logs from various sources. (see also on our blog: “What to do with all those logs?” and “NetEye Log Management on the official Elastic blog” ).

NetEyeSyslog

Architecture of the Log Management module:

  • Log auditing and data collection system, based on rsyslog
  • Agent (Safed) for sending logs over the syslog protocol (RFC 3164 – configured by default to send over TCP on port 514 to guarantee the correct receiving of the sent logs)

It is crucial that the communication between the Safed agents and NetEye on the TCP port 514 is always guaranteed.

During one of my latest customer projects, I was asked to implement a possibility for collecting logs from remote systems in the cloud. The main challenge was that accessing the systems was possible just via SSH.

Now I will show you how I resolved this problem by using a reverse SSH tunnel and a Safed agent on a Linux/Unix machine.

Read More

NetEye 3.6 and RUE 1.9 Have Been Released!

Posted by on Dec 15, 2015 in Asset Management, Development, Log Auditing, NetEye, Real User Experience Monitoring, Syslog | 0 comments

NetEye 3_6 and RUE 1_9 Release

Effective log auditing, meaningful reports and better integration of the single modules

The new version NetEye 3.6 provides some substantial improvements, to respond to specific customer needs, as well as to satisfy the continuously growing requirements in the complex world of IT monitoring.

Major investments were made in the fields of reporting and SLA measurement. Thanks to a unified data structure, the merge of decentral collected data in a single reporting database is now possible.

Get an overview about the latest developments:

Read More

Trace Windows Administrators Login Activities with Safed

Posted by on Dec 3, 2015 in Log Auditing, NetEye, Syslog | 0 comments

Sometimes it is required to trace login/logoff activities of the administrator in order to be compliant with legal guidelines or simply for security reasons (see also our article “What to do with all those logs“). The Safed agent for Windows can be easily configured to collect administrator’s login/logoff. The agent is deployed with some administrator discovery commands, which it can execute in order to obtain the list of the admin of the domain and then to create a filtering objective. All events that concern with administrator’s login/logoff will be captured, formatted and then sent to the log server.

Read More

Rsyslog open FileHandler control with SyslogView 2.1.8

Posted by on Jan 8, 2015 in NetEye, NetEye Updates, Syslog | 0 comments

To keep the number of open TCP connections of the Log Auditing server under control, the SyslogView version 2.1.8 contains a control in the daily archiviation script, to check the number of currently open connections.

This issue could be found in particular situations, where SAFED or other Audit agents might send across a routing device  from another network. If those connections are not closed properly, the number of pending connections grows, till reaching a limit of the server. Therefore this issue sould be considered in those situations and appear only in very specific situations.

This new version contains now a control of the number of open FH. If the number of suggested 1024 unclosed connections is exceeded, the HUP operation on the Rsyslog service, makes sure, to close not needed pending connections. An additional parameter ( -F ) in the check_neteye_logManager.sh verifies this conditions. This parameter is activated automatically in the SyslogView’s cron job, and alerts automatically into your NetEye monitoring environment.

An additional template of the rsyslog.conf  configuration file is stored in the includes folder of the syslogview installation folder (/var/lib/neteye/syslogview/).

Read More