Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

Overview

We are providing you with the steps to integrate your Nginx Server with Seceon SIEM so One can have Comprehensive visibility and Proactive Threat Detection in your Environment. There will be a log transfer between your firewall to APE(Analytics and Policy Engine) via CCE (Collection and Control Engine ). In this document, we are guiding you through the steps for Log forwarding.

For this configuration we use UDP port 514.

Steps of Configuration

  •  Login as root user on the server 

  • cd /etc should be the first command ran on server , (to get  inside /etc directory)

  • ls to check the list  , ( similar list will appear)

  • vi rsyslog.conf  command need to be ran next  and enter.

  • Now please modify Global Directives as mentioned below:

$ModLoad imfile 

GLOBAL DIRECTIVES

$InputFileName /var/log/nginx/access.log
$InputFileTag nginx:
$InputFileStateFile state-apache-access
$InputRunFileMonitor

  • NOTE: In place of InputFileName, you need to put actual path of Nginx data store.

  • After adding, configure CCE-IP at the end of file:
    *.* @CCE_IP:514

  • Now save it.

  • Run the command  : service rsyslog restart.(Restart rsyslog service .)

Verification Of Configuration

Verification can be done either from CCE Server or from UI.

Using UI

STEP 1: Log in to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE Server

sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.

  • No labels

Seceon Inc. All rights reserved. https://www.seceon.com