Steps to export LDAP syslog from a remote server (via SSH) to the CCE host:
Table of Contents |
---|
Overview
We are providing you with the steps to integrate your Linux LDAP with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log and Netflows forwarding.
Steps Of Configuration
Steps to configure syslog on remote server:
- Login at remote server
- Add rule in /etc/rsyslog.conf file to send log on host machine.
- Open /etc/rsyslog.conf file
- Go to
...
- Restart rsyslog daemon using command “service rsyslog restart”
Steps to configure syslog on the CCE host:
- Open /etc/rsyslog.conf file on host machine
- Add rule to receive syslog from remote server as:
- Go to line at # Provides UDP syslog reception and uncomment these two line as
...
- Restart rsyslog daemon using command “service rsyslog restart”
To verify logs are arriving at the CCE host:
- Run “tail-fvar/log messages” command on the CCE host
VERIFICATION OF CONFIGURATION
Verification can be done either from CCE Server or from UI.
Using UI
STEP 1: Log in to UI >> SYSTEM
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Using CCE SERVER
“sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.