Overview

We are providing you with the steps to integrate your Nginx Server with the Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE (Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.

In NGINX, logging is done using the error_log and access_log directives.

error_log directive specifies the file where NGINX should log errors.

access_log directive specifies the file where NGINX should log information about incoming requests and responses.

For this configuration, we use UDP port 514.

Steps of Configuration

•  Login as root user on the server 

...

• cd /etc should be the first command ran on server , (to get  inside /etc directory)

...

• ls to check the list  list, ( similar list will appear)

...

• vi rsyslog.conf conf command need to be ran next  and enter.

...

• NOTE: In place of InputFileName, you need to put actual path of Nginx data store.

• After adding, configure CCE-IP at the end of file:
  *.* @CCE_IP:514

• Now save it.

• Run the command  : service rsyslog restart.(Restart rsyslog service .)

Verification Of Configuration

Verification can be done either from CCE Server or from UIGUI.

Using

...

STEP 1: Log in to UI >> SYSTEM

...

the Seceon GUI

Log in to GUI with appropriate administrative right and Navigate to System >> Logs/Flow Collection Status.

...

STEP 3: >>Inside Inside SOURCE DEVICE IP, IP will reflect.

...

Using CCE Server

“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be running on the CCE server Login into the Seceon CCE Server with Seceon user over SSH Port and run following command

sudo tcpdump -i any host 514 and host <IP address> -s0 

to check whether or not we are getting logs.