IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Security Verify Access, syslog-ng and Splunk

  • 1.  Security Verify Access, syslog-ng and Splunk

    Posted Tue September 26, 2023 12:46 PM

    All,

    First time poster, have searched for answers but haven't found anything that's helping me out. I'm a Splunk architect tasked with getting log data out of IBM Security Verify Access (Firmware 10.0.4.0) and into Splunk.

    I logged on to our SVA device (hosted in public cloud infrastructure), went to "Monitor" -> "Remote Syslog Forwarding" and set up a tcp connection with the format of RFC 5424 to our syslog server (running syslog-ng 3.23) . After including the "system" log as a source, I logged on to our syslog server to see what's being logged and found log events in the following format:

    Sep 26 00:10:34 <<hostname>> 1 2023-09-26T01:10:34.666332+01:00 <<hostname>> system - - - Sep 26 01:10:25 mesa_config[3865]: Executing trigger 'dhcp_lease_renewed' for module events

    Sep 26 00:10:34 <<hostname>> 1 2023-09-26T01:10:34.666333+01:00 <<hostname>> system - - - Sep 26 01:10:25 mesa_config[3865]: Trigger 'dhcp_lease_renewed' succeeded

    As you can see syslog-ng is prepending the date in "MMM DD hh:mm:ss" format and the hostname in front of the syslog message coming from SVA. My understanding of syslog-ng is that this is done because it doesn't understand the message coming from SVA and so puts all of that in the $MESSAGE field. (I think it's because of the "1" between the first <<hostname> and the second timestamp, syslog-ng doesn't know if it's priority, severity or version?)


    I don't see any way of changing SVA to send in a different format and I'm trying to get the message sent to syslog-ng like:

    2023-09-26T01:10:34.666332+01:00 <<hostname>> system - - - Sep 26 01:10:25 mesa_config[3865]: Executing trigger 'dhcp_lease_renewed' for module events

    2023-09-26T01:10:34.666333+01:00 <<hostname>> system - - - Sep 26 01:10:25 mesa_config[3865]: Trigger 'dhcp_lease_renewed' succeeded

    This will allow syslog-ng to use the hostname to create a folder for each device with all the logs for that device. From there I'll be able to ingest the data into Splunk using wildcards on the device names to ensure data segregation.

    Does anyone have any experience of getting syslog-ng to write the events correctly (bonus points for having got the data into Splunk as well)

    Thanks in advance,

    Blair



    ------------------------------
    Blair Fallis
    ------------------------------