forked from WrongProvider/wazuh_decoders
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rsyslog.conf
51 lines (43 loc) · 1.64 KB
/
rsyslog.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
module(load="imuxsock") # provides support for local system logging
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#Storing Messages from a Remote System into a specific File
#template used for better filtering capabilities in Wazuh
template(name="kasper" type="list") {
constant(value="Kasperky syslog pattern: FROM_KSC_HOST: '")
property(name="fromhost")
constant(value="', KES_VERSION: '")
property(name="app-name")
constant(value="', TIMESTAMP: '")
property(name="timestamp" dateFormat="rfc3339")
constant(value="', INFECTED_HOST: '")
property(name="hostname")
# property(name="syslogtag")
constant(value="', STRUCTURED-DATA: '")
property(name="structured-data")
property(name="msg" spifno1stsp="on" )
property(name="msg" droplastlf="on" )
# replace(0,"\r\n"," ")
constant(value="\n")
}
# stores the log with the above pattern if it captures the IP from Security Center
if ($fromhost-ip == '10.11.161.5') then {
#filters the log for the hostname (use your own) of KSC or the KES signature in Kaspersky logs
if $structured-data contains ("hostname" or "KES") then{
action(type="omfile" file="/var/log/siem/domain/kasper.log" template="kasper")
}
else{
action(type="omfile" file="/var/log/siem/domain/teste.log")
}
}