AlienVault Logging Setup Part 1

One of the thing about AlienVault is that you would think from the user interface it would be a sort of system to just plug and play and everything is OK.

While it is a far cry ahead from the days of manual configuration, AV still requires a little know-how to get things up to speed, and yes, it does require a little dive into the venerable CLI, so you would need to know a little about some of the engine running under the AV hood.

Let’s start.

One of the first thing that a customer wants when he opens AV, before all the snazzy vulnerable scans and all the network IDS or host IDS comes in, even before SIEM comes in is LOG. Log is to the SIEM what audit is to accounting companies. You just do it.

Strangely, this is not as intuitive as it sounds. Here’s a step by step. We don’t put any screenshots here because we have limited storage capacity on this blog. Yes, we are very frugal. And we like words.

AlienVault Scenario Setup

Because we are slightly lazy, we just want a simple scenario that the VMWare ESXi Box that we are hosting the AV on, to send logs to the AV. Just logs first. Like what it would do when sending to a syslog server. Our Vmware esxi for instance is 192.168.0.10, our AV is 192.168.0.11 (logging interface).

Setup your Esxi.

I know this is out of scope. In most cases, we would just tell our clients, look send your logs from PaloAlto, SonicWall, Juniper, Sophos etc to AlienVault’s logging interface. For Esxi, it is very simple.

1. Start your VMware VSphere client, login > right click on the VMWare host

2. Configuration>Software>Advanced Settings

3. Under Syslog, click on global, under syslog.global.logHost, put in your interface of the AV (192.168.0.11)

4. Click on Security Profile under Software and on the right top, click Properties

5. You are in ‘Firewall Properties’ tab, scroll down under label and find ‘syslog’. Click it. This should enable your syslog traffic to go out to your AV.

You are done. How other systems do it, no idea. But it will probably be more or less straightforward as this.

Initial Testing

If you are like me, and just want to make sure everything is working, setup your own free Syslog server (3CDaemon works nicely) and turn it on, and point your Esxi syslog to your own laptop running the syslog server. If you see stuff coming in, you know Esxi is running ok, and if any roadblock you face down the road, it would be AlienVault’s fault. Now point it back to the AV interface please.

AV Setup to Receive Logs

AV needs to see the logs coming in first. We used the base document found in

https://www.alienvault.com/doc-repo/usm/security-intelligence/AlienVault_Device_Integration_Fortinet_FortiGate.pdf

I know you are not doing fortigate, but the idea here is similar. Get the loggee (that’s what we will call the system sending logs to AV) to send to AV, Set up AV to receive logs, configure log expiration, enable plugin.

The annoying thing is in most cases, everyone starts at the ‘enable plugin’ stage and forgets to set up AV to receive those logs first. You can’t fault them. I attended the training for AlienVault engineer and the training assumed you have magically conjured up AV to receive logs so you could be banging your head for a while on this.

Time to go CLI. I will magically assume you know how to get to AV CLI. Just jailbreak it! It’s just a scary sounding name to get out of the AV menu to CLI. Log into your AV using Putty or your favoured SSH client, and in the menu, select jailbreak system and accept whatever disaster they warn you about.

Once in CLI:

a) Configure your rsyslogd. Go to /etc/rsyslog.d and ls. You don’t see vmware in there do you?

b) Because it’s not. AV doesn’t babysit you. It expects you to know stuff.

c) Check if rsyslog is actually running

ps -ef | grep rsyslog – check if the process is up

netstat -tulpen | grep rsyslog – check if its listening on the right ports – 514?

Extra geek points you can:

VirtualUSMAllInOne:/var/log# logger -t test syslog-test-message
VirtualUSMAllInOne:/var/log# tail /var/log/messages | grep test
Sep 11 18:09:19 VirtualUSMAllInOne test: syslog-test-message

Basically what you did was to get the logger to send a test message to itself and then check the message logs if the message was there. It is, so rsyslog is working nicely!

Now to configure your vmware-esxi.conf. We followed the above fortigate config

Vi vmware-esxi.conf and in your vi

if ($fromhost-ip == ‘192.168.0.10’) then /var/log/vmware-esxi.log

I am assuming you are a Vi person. If you are nano person or something else, then, that’s your cuppa.

I have a few problems with the above line, because it basically it means I am logging everything that’s coming from my vmware. I need to filter those annoying debug messages. So below does it

if $fromhost-ip == ‘192.168.0.10’ and $syslogseverity <= ‘6’ then -/var/log/vmware-esxi.log
if $fromhost-ip == ‘192.168.0.10’ then ~
& ~

Actually I copied this from somewhere else (https://www.alienvault.com/forums/discussion/2111/vmware-plugin-series) and I don’t know why line 2 is even there.

Basically the first line says anything coming from my loggee, with severity of informational and below (filter out debug), then put it into the vmware-esxi.log. The dash sign in front is just telling rsyslogd not to sync operation after writing out each line. According to the MAN: “You may prefix each entry with the minus “-” sign to omit syncing the file after every logging. Note that you might lose information if the system crashes right behind a write attempt. Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose manner.”

However, recent times, there doesn’t seem to be any relevance to the dash anymore and is just there out of habit.

Line 2 = no idea because it just says, to discard (tilde ~) everything filtered out by line 1 (debug messages). The last line does the same. The ampersand & is just there for connecting the two lines.

OK so anyway, you have your configuration set up and filtering.

Go ahead and restart

/etc/init.d/rsyslog restart

Remember to configure a log rotation for yourself

vi /etc/logrotate.d/vmware-esxi

/var/log/vmware-esxi.log
{
rotate 4 # save 4 days of logs
daily # rotate files daily
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}

I didn’t bother to find out what all these meant, I just took the AlienVault document as gospel truth.

You look pretty set up.

Now go to /var/log and see if vmware-esxi.log is there.

If it’s not,

touch vmware-esxi.log

tail -f vmware-esxi.log

This basically creates the file manually and do a ‘tail’, to see if any new lines have been appended to it.

Now go to your Esxi box and try to log in, you should be able to see some activity on that tail of yours.

Amazingly you have not even touched AlienVault yet. But you have gotten logs from the loggee into the logger so go ahead and grab your coffee. That’s a good start. We’ll look into what AlienVault can do better than other syslog servers in the next post.