How to Configure and Use SafeLine's Syslog for Real-Time Attack Logging

lulu_liu_c90f973e2f954d7f

Lulu

Posted on September 13, 2024

How to Configure and Use SafeLine's Syslog for Real-Time Attack Logging

To configure Syslog with SafeLine and ensure real-time synchronization of attack logs to a third-party server, follow the instructions below:

Syslog Configuration for SafeLine

1.Enable Syslog Forwarding:

Go to the System page in SafeLine, and configure the Syslog settings by providing the necessary details. Syslog forwarding uses the UDP protocol and follows the RFC-5424 standard for log formatting.

Image description

2.Test Syslog Configuration:

After configuring Syslog, click the Test button. If the Syslog server receives the following message, it indicates successful configuration:

   <30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.
Enter fullscreen mode Exit fullscreen mode

Syslog Event Format in SafeLine

SafeLine logs sent via Syslog are formatted in JSON and contain detailed information about each request, including attack events. Below is an example of the SafeLine Syslog event format:

{
  "scheme": "http",
  "src_ip": "12.123.123.123",
  "src_port": 53008,
  "socket_ip": "10.2.71.103",
  "upstream_addr": "10.2.34.20",
  "req_start_time": 1712819316749,
  "rsp_start_time": null,
  "req_end_time": 1712819316749,
  "rsp_end_time": null,
  "host": "safeline-ce.chaitin.net",
  "method": "GET",
  "query_string": "",
  "event_id": "32be0ce3ba6c44be9ed7e1235f9eebab",
  "session": "",
  "site_uuid": "35",
  "site_url": "http://safeline-ce.chaitin.net:8083",
  "req_detector_name": "1276d0f467e4",
  "req_detect_time": 286,
  "req_proxy_name": "16912fe30d8f",
  "req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "req_location": "urlpath",
  "req_payload": "",
  "req_decode_path": "",
  "req_rule_module": "m_rule",
  "req_http_body_is_truncate": 0,
  "rsp_http_body_is_truncate": 0,
  "req_skynet_rule_id_list": [65595, 65595],
  "http_body_is_abandoned": 0,
  "country": "US",
  "province": "",
  "city": "",
  "timestamp": 1712819316,
  "payload": "",
  "location": "urlpath",
  "rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "decode_path": "",
  "cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==",
  "user_agent": "PostmanRuntime/7.28.4",
  "referer": "",
  "timestamp_human": "2024-04-11 15:08:36",
  "resp_reason_phrase": "",
  "module": "m_rule",
  "reason": "",
  "proxy_name": "16912fe30d8f",
  "node": "1276d0f467e4",
  "dest_port": 8083,
  "dest_ip": "10.2.34.20",
  "urlpath": "/webshell.php",
  "protocol": "http",
  "attack_type": "backdoor",
  "risk_level": "high",
  "action": "deny",
  "req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n",
  "body": "",
  "req_block_reason": "web",
  "req_attack_type": "backdoor",
  "req_risk_level": "high",
  "req_action": "deny"
}
Enter fullscreen mode Exit fullscreen mode

This format includes critical details like the source IP, request method, target URL, detected attack type, risk level, and actions taken by SafeLine.

By setting up Syslog forwarding in SafeLine, administrators can seamlessly integrate with external monitoring and security systems to analyze attack events and ensure enhanced security management.

GitHub:https://github.com/chaitin/SafeLine
Website:https://waf.chaitin.com

💖 💪 🙅 🚩
lulu_liu_c90f973e2f954d7f
Lulu

Posted on September 13, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related