Introduction
This document will explain the checks for logging for your syslog log source. When you apply the control steps in this document, it will assist you in identifying the problem you are experiencing with logging or in your testing process.
Debugging
Click Settings -> Integrations -> Data Collection to open the source list. Click Search button at the right of the source which you want to check.
In the debugging section, log capturing scenarios will be checked by making an SSH connection to the logsign syslog IP and then sniffing with the ngrep process.
Determine the IP address to be used for SSH based on the logsign model you are using:
- If you are using a cluster structure for your logsign model, proceed by making an SSH connection to your syslog IP.
- If you are using a single (Standalone) logsign model, make an SSH connection to the logsign IP with a single IP address.
Make an SSH connection to Logsign to access root privileges.
1- The following steps must be applied to ensure that logs are coming to logsign.
A. Run the command below to sniff the log traffic coming from the log source.
After defining the IP address to be 10.10.11.35 according to the log source where logs are taken, you can run the following command.
Bash$: ngrep -W byline port 514 and host 10.10.11.35
Do not close this window for a short time, as you need to see the raw form of the log that comes in the traffic of the log source on this screen.
B. After seeing the sniffed traffic, we can check the logs of our integration we added as a source from the user interface approximately 1 minute later.
Query : EventSource.IP:"10.10.11.35"
##
C. If you have successfully completed the B item above, you can proceed to this item. If you cannot see the logs in the user interface, you can follow the steps below.
##
If you cannot see the logs in the user interface, you can check the time of the source by looking at the sniffed log.
If the time information in the marked area is different from the current time, update the time on the source where the logs will be received. The analysis of logs whose time is behind or ahead can be more complicated. Analyze sources with incorrect time information based on Time.Received.
2- For the situation where logs do not come to Logsign, you can check the following steps:
A- Firewall Permissions
Log source -> Logsign SIEM Syslog IP -> UDP 514 Port should be allowed.
If Logsign firewall integration is made, you can check firewall logs from Logsign user interface with the query 'Source.IP:10.10.11.35 Destination.Port:514 Destination.IP:10.10.11.40'. If you see traffic like Deny or Drop, you need to define the firewall rule.
If you receive firewall logs and cannot see the traffic logs of the log source (10.10.11.35), check steps B and C.
B-Network Structure
The network traffic that will enable communication between the log source and Logsign should have the necessary configurations for the vlan, route, and security products you use.
C- The configurations applied to the log source should be reviewed. The Ngrep command applied in Step 1 listens to the logs coming to Logsign. Since we do not see any log output in the sniffed ngrep, the problem is not with Logsign, but with the source or network/network devices between them. Control processes should be carried out from these sources.