Syslog-ng configuration file

README.md

@@ -4,11 +4,14 @@ This project hosts files and links to components used by [Stormshield Visibility
 
 ## Installation instructions
   * Make sure you have a fully functional Elastic stack running. If not, please refer to [Installing the Elastic Stack](https://www.elastic.co/guide/en/elastic-stack/5.6/installing-elastic-stack.html#installing-elastic-stack) instructions,
+  * Install [Syslog-ng](./syslog-ng)
   * Install [Kibana index-pattern](./index-pattern),
   * Install [Elasticsearch templates](./templates),
   * Install [Logstash plugins](#plugins),
   * Update [Logstash pipeline](./pipeline) configuration,
-  * Configure your Stormshield products to send logs to your Logstash instance (default port **5000**).
+  * Configure your Stormshield products to send logs to your _Syslog-ng_ instance
+    * UDP **514** or
+    * TCP **601**
 
 ### Docker
 A ready to use Elastic Stack is also provided as a Docker container for testing

syslog-ng/README.md

@@ -0,0 +1,6 @@
+# Syslog-ng configuration files
+
+Stormshield products send logs using different RFC standards. This _Syslog-ng_ configuration file is used to address every cases, since [Logstash](https://www.elastic.co/guide/en/logstash/current/plugins-inputs-syslog.html) _syslog_ input plugin only supports [RFC3164](https://www.ietf.org/rfc/rfc3164.txt)
+
+## Installation instructions
+  - Copy `syslog-stormshield-configuration.conf` file in your _Syslog-ng_ configuration path ( Default: _/etc/syslog-ng/conf.d/_)

syslog-ng/syslog-stormshield-configuration.conf

@@ -0,0 +1,90 @@
+@define allow-config-dups 1
+@define MAX_CONNECTIONS 10
+@define LOG_IW_SIZE 10000
+options {
+  log_fifo_size(`LOG_IW_SIZE`);
+};
+
+###########
+# Sources #
+###########
+source s_svc_syslog_rfc3164_udp {
+	network(port(514)
+		transport("udp")
+		max-connections(`MAX_CONNECTIONS`));
+};
+source s_svc_syslog_rfc5424_tcp {
+	syslog(
+		port(601)
+		transport("tcp")
+		max-connections(`MAX_CONNECTIONS`)
+		log-iw-size(`LOG_IW_SIZE`)
+	);
+ };
+
+###########
+# Filters #
+###########
+filter f_svc_sns {
+	match("\"?id\"?=\"?firewall\"?" value("MSG"));
+};
+filter f_svc_sns_legacy {
+	match("\"?id\"?=\"?firewall\"?" value("PROGRAM"));
+};
+filter f_svc_ses {
+	match("\"?id\"?=\"?endpoint\"?" value("MSGHDR"));
+};
+filter f_svc_sds {
+	match("\"?id\"?=\"?datasecurity\"?" value("MSG"));
+};
+filter f_svc_sdmc {
+	match("\"?id\"?=\"?sdmc\"?" value("MSG"));
+};
+
+#############
+# Templates #
+#############
+template t_svc_stormshield_format {
+	template("$MSG\n");
+	template_escape(no);
+};
+template t_svc_ses_format {
+	template("$PROGRAM $MSG\n");
+	template_escape(no);
+};
+template t_svc_sns_legacy {
+	template("$PROGRAM $MSG\n");
+	template_escape(no);
+};
+
+################
+# Destinations #
+################
+destination d_svc_logstash {
+	tcp("127.0.0.1" port(5000));
+};
+
+log {
+	source(s_svc_syslog_rfc3164_udp);
+	source(s_svc_syslog_rfc5424_tcp);
+	log {
+		filter(f_svc_sns);
+		destination(d_svc_logstash);
+	};
+	log {
+		filter(f_svc_sns_legacy);
+		destination(d_svc_logstash);
+	};
+	log {
+		filter(f_svc_ses);
+		destination(d_svc_logstash);
+	};
+	log {
+		filter(f_svc_sds);
+		destination(d_svc_logstash);
+	};
+	log {
+		filter(f_svc_sdmc);
+		destination(d_svc_logstash);
+	};
+};