How to Configure and Use SafeLine's Syslog for Real-Time Attack Logging
Lulu
Posted on September 13, 2024
To configure Syslog with SafeLine and ensure real-time synchronization of attack logs to a third-party server, follow the instructions below:
Syslog Configuration for SafeLine
1.Enable Syslog Forwarding:
Go to the System page in SafeLine, and configure the Syslog settings by providing the necessary details. Syslog forwarding uses the UDP protocol and follows the RFC-5424 standard for log formatting.
2.Test Syslog Configuration:
After configuring Syslog, click the Test button. If the Syslog server receives the following message, it indicates successful configuration:
<30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.
Syslog Event Format in SafeLine
SafeLine logs sent via Syslog are formatted in JSON and contain detailed information about each request, including attack events. Below is an example of the SafeLine Syslog event format:
{
"scheme": "http",
"src_ip": "12.123.123.123",
"src_port": 53008,
"socket_ip": "10.2.71.103",
"upstream_addr": "10.2.34.20",
"req_start_time": 1712819316749,
"rsp_start_time": null,
"req_end_time": 1712819316749,
"rsp_end_time": null,
"host": "safeline-ce.chaitin.net",
"method": "GET",
"query_string": "",
"event_id": "32be0ce3ba6c44be9ed7e1235f9eebab",
"session": "",
"site_uuid": "35",
"site_url": "http://safeline-ce.chaitin.net:8083",
"req_detector_name": "1276d0f467e4",
"req_detect_time": 286,
"req_proxy_name": "16912fe30d8f",
"req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
"req_location": "urlpath",
"req_payload": "",
"req_decode_path": "",
"req_rule_module": "m_rule",
"req_http_body_is_truncate": 0,
"rsp_http_body_is_truncate": 0,
"req_skynet_rule_id_list": [65595, 65595],
"http_body_is_abandoned": 0,
"country": "US",
"province": "",
"city": "",
"timestamp": 1712819316,
"payload": "",
"location": "urlpath",
"rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
"decode_path": "",
"cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==",
"user_agent": "PostmanRuntime/7.28.4",
"referer": "",
"timestamp_human": "2024-04-11 15:08:36",
"resp_reason_phrase": "",
"module": "m_rule",
"reason": "",
"proxy_name": "16912fe30d8f",
"node": "1276d0f467e4",
"dest_port": 8083,
"dest_ip": "10.2.34.20",
"urlpath": "/webshell.php",
"protocol": "http",
"attack_type": "backdoor",
"risk_level": "high",
"action": "deny",
"req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n",
"body": "",
"req_block_reason": "web",
"req_attack_type": "backdoor",
"req_risk_level": "high",
"req_action": "deny"
}
This format includes critical details like the source IP, request method, target URL, detected attack type, risk level, and actions taken by SafeLine.
By setting up Syslog forwarding in SafeLine, administrators can seamlessly integrate with external monitoring and security systems to analyze attack events and ensure enhanced security management.
GitHub:https://github.com/chaitin/SafeLine
Website:https://waf.chaitin.com
Posted on September 13, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
September 13, 2024