introduction
SIEM (Security, Information, and Event Management) Security Information and Event Management, which is a security solution that provides real-time monitoring and analysis of events, as well as tracking and recording security data for compliance or audit purposes.
Most SIEMs provide core functionality, including log management, event correlation and analysis, event monitoring, and security alerting.
-
Log Management: Capture event data from across the enterprise, including network devices, applications, assets, cloud environments, and more
-
Event management and analysis: Event correlation leverages advanced analytics to identify and understand complex data patterns
-
Event monitoring and security alerts: monitor security events in the enterprise, generate graphs through correlation rules to realize security event monitoring, and trigger alarms, so as to take timely measures to avoid more serious security problems
Honghu-based SIEM
In actual scenarios, we mainly need to consider the security, ease of use, and scalability of SIEM, mainly considering the following aspects:
Need to be domestically produced, with complete independent intellectual property rights, safe and controllable
Can provide a variety of data import methods
Able to support various log formats
With the ability of real-time analysis, avoid spending a lot of time on ETL
With efficient structured/semi-structured data storage, it can automatically identify and analyze timestamps, and segment data according to time; segment data and build inverted indexes
With a powerful search function, the search is fast and efficient, and it supports cross-database, heterogeneous data association, interactive query for instant exploration and analysis
With flexible and diverse charts and interactive dashboard experience
According to our needs, after a comprehensive comparison, we choose Honghu Data Platform. Honghu Data Platform provides modules including data import, data storage analysis and data visualization.
Its read-time modeling engine can quickly import and store heterogeneous data, perform flexible heterogeneous data modeling and association analysis, and support dynamic adjustment of data models and analysis parameters without solidifying models and analysis processes. When the data source format or business After the schema changes, you only need to adjust the SQL query analysis language without re-importing and cleaning data, so as to quickly respond to changes in requirements.
Deployment and implementation
This article is based on the initial deployment of SIEM based on Honghu Data Platform, not a complete environment. Based on the collection of some device logs, preliminary security analysis, correlation analysis, and chart display are performed. For your reference only.
premise
At present, we have sent the following data to the Honghu data platform through syslog, and the Honghu platform performs unified data storage. The main equipment includes:
Network equipment: H3C switch, Sangfor firewall, Sangfor Internet behavior management
Server equipment: Dell server
Storage device: PowerStore storage
Honghu vector configuration
As a data collector, Vector can receive the syslog logs of the device and forward them to the Honghu platform. Vector configuration method refer to the following:
Install Vector
Check the vector version after installation to confirm that the installation is successful
After vector is installed, when executing vector directly, the system will first search for the command under /usr/bin, if it is not in this directory, it will not find it. At this time, we need to create a link file for these commands that cannot be found, and link it to /usr/bin
Log in to the Honghu platform, go to Data Management > New Dataset
Edit the data source name, select the data set range as the "switch" created above, and it will be enabled
To create a syslog.toml script, you need to adjust the fields
address = "0.0.0.0:514": 0.0.0.0 means to receive syslogs sent by all hosts, and 514 means the receiving port (syslog defaults to 514)
._target_table = "switch" : Indicates the name of the dataset you created above
mode = "udp": Indicates the protocol for receiving syslog syslog defaults to udp)
address = "172.20.6.111:9092": Honghu's IP and corresponding port
Run the modified syslog script, keeping it running. The vector configuration is now complete.
Syslog configuration
Network device configuration syslog
H3C switch syslog configuration
The log needs to be turned on and sent to the Honghu platform. By default, syslog sends logs through port udp514
Use the host with IP address 172.20.6.111 as the log host, and use the loghost channel to send information (optional, the system defaults to
loghost channel), use local5 as the log host recording tool.
Note: Here you can specify the source address for sending logs, and you don’t need to specify it. In general, for the convenience of identification, it is recommended to specify
Note: If you want to send logs through the management port, since the management port is configured with VPN-Instance, you need to specify the VPN-Instance
Configure output rules: allow all modules and log information whose level is higher than or equal to informational to be output to the log host.
My actual configuration command here
Cisco switch syslog configuration
The configuration commands on Cisco network devices are generally:
In global mode <config>
My actual configuration command here
Configure firewall syslog
syslog configuration> fill in Honghu IP and port number> apply
configure server syslog
Configure the system log server, fill in the IP of the log system, and the port number is default
turn on the alarm
Set the type of alerts sent to the logging platform
Deploy PowerStore syslog
Log in to PowerStore, Settings>Remote Logging>ADD
Host/IP Address Fill in Honghu's address
Protocol: The default is udp (consistent with the syslog.toml above)
Port number: default 514 (consistent with syslog.toml above)
Audit Type: Select all
SEND TEST MASSEGE, send a test log message to test whether Honghu received it
Query the log on Honghu, and found that the test log sent by the storage has been received, and the configuration of syslog is completed.
field extraction
At present, we have connected switches, firewalls, servers, and storage devices. We need to extract the log fields first, so that we can search and display in graphs later.
Firewall field extraction
sangfor_syslog, here is the name of the view that needs to be created
In the switch._time script, starting from the sixth line, switch refers to the original data set that needs to extract data. Here you need to replace it according to your data set name.
where contains( switch._message, 'log type') 'log type' refers to the specific field you want to search to write the log, through the 'log type' you can limit all the logs containing the 'log type' in the log
sangfor_nat_syslog, here is the view name that needs to be created
In the switch._time script, starting from the sixth line, switch refers to the original data set that needs to extract data. Here you need to replace it according to your data set name.
where contains( switch._message, 'NAT') 'log type' refers to the specific field you want to search to write the log, through NAT you can limit all logs containing NAT in the log
The log format of each component of the firewall log is different, so we may need to perform multiple field extractions according to our own situation. The field extraction method has been detailed above, and only the field extraction script is provided here for reference.
Switch Field Extraction
switch_syslog, here is the view name that needs to be created
In the switch._time script, starting from the sixth line, switch refers to the original data set that needs to extract data. Here you need to replace it according to your data set name.
Server field extraction
idrac_syslog, here is the name of the view that needs to be created
In the switch._time script, starting from the sixth line, switch refers to the original data set that needs to extract data. Here you need to replace it according to your data set name.
where contains( switch._message, 'iDRAC') 'iDRAC' refers to the specific field you want to search for this write log, through IDRAC you can limit all logs containing IDRAC in the log
PowerStore field extraction
ps_syslog, here is the name of the view that needs to be created
In the switch._time script, starting from the sixth line, switch refers to the original data set that needs to extract data. Here you need to replace it according to your data set name.
where contains( switch._message, 'powerstore') 'powerstore' refers to the specific field you want to search for this write log, through powerstore you can limit all logs containing powerstore in the log
Chart display
In the case of existing device logs, the monitoring effects we need to achieve are as follows:
Overview of managed devices, such as which devices are managed, and the log status of these devices
The operation status of the equipment, such as whether there is an alarm on the equipment
Security events, including whether the device has been cracked by password brute force, password sniffing; whether the configuration change of the device is compliant
In the actual scene, if we want all the charts to be flexibly displayed according to the selection when we view the charts, for example, if I want to see 1 day, I want to see 7 days, then we can make a "time item" at this time ",Methods as below:
time selection
Creation time selection
edit
add input
Input Type: Select Time
Tag name: time_range (this is used to call the chart)
Display label: the name displayed by this time item
Default tag value: choose here according to your own situation, I usually choose relative time and set it to 30 days
After confirmation, a time selection item will be generated
call time selection
Select the chart you want to invoke, select Edit Query
Change the query time range to a time tag value, and the tag name time_range (the tag name filled in when selecting the time created above)
After saving, you can choose the time you want to view in "Time Selection", click Apply, and the chart will change according to the time
search phrase
The search statement is based on the premise that the field has been extracted. If the field is not extracted, many charts that call the extracted field will not be displayed.
Tip: When generating a chart, remember to change the tag name in the chart's "query time range" to time_range, so as to call the time selection
final rendering
This article is limited to the beginner stage of SQL statements, so many analyzes are only basic analyzes for your reference. Honghu itself has a powerful SQL search function and a variety of chart display functions, which you can use by yourself.
