Examples for topologies SIEM (RuSIEM/RvSIEM), guide for forwarding events

1. Co-Founder, CEO
Олеся Шелестова
oshelestova@rusiem.com
Events collection and
forwarding.
(RuSIEM/RvSIEM free)
2017

2. Mode
• Single mode
• Multi-node
• Load balancing (MQ)
• Emulate back-connection
• Distributed correlation
• Forward all events
• Forward events by condition
• Forwarding formats:
• Plain syslog
• TLS syslog
• CEF
• Json (normalized)
3

3. Example A
4
Balanced
Servers Region B
Server Region A
• You need to send the entire stream or by condition
• Formats: syslog plain, syslog TLS, JSON, CEF
TCP or UDP

4. Example B
5
Balanced
Servers Region B
Server Region A
• You need collect logs from other server
• Connections allowed only to DMZ
DMZ Example
X X

5. Example C
6
Balanced
Servers Region B
Server Region A
• You need stream events from A-Region to B
• In B-Region you have some server in the balanced mode
TCP or UDP
MQ

6. Example D
7
HQ Region
Cluster
Region A
• You need correlate events in Region A/B/C as single installation
• Correlate A and C region events
• Correlate A/B/C only in HQ without forward all events (!)
MQ
without all events
MQRegion B
Region C

7. Events path
8
LSINPUT FRS_SERVER LSFILTER LSELASTIC
From agent
From syslog
RuSIEM MQ
Correlation
Analytics
RAW JSON
normalized
JSON
normalized
+ symptoms
+category
+ weight

8. How to do it
(technical information) for Example A/B
9

9. Example A. Agenda.
10
• You need to send the entire stream or by condition
• Formats: syslog plain, syslog TLS, JSON, CEF
• Server Region A:
• will be receive all events from Region A
source
• Normalize events
• Operate symptomatic and weight events
• Correlate (if need)
• Store events
• Server Region B:
• will be receive all events from Region A
server and sources Region B
• Normalize events only from sources Region B
• Operate symptomatic and weight events
• Correlate (if need)
• Store events

10. Example A
11
• You need to send the entire stream or by condition
• Formats: syslog plain, syslog TLS, JSON, CEF
For all events forwarding:
1. For node “Server Region A” create custom config with suffix “_user.conf” for frs_server. Example,
“/opt/rusiem/frs_server/etc/send_tcp_user.conf“

11. “Server Region A” – “send_tcp_user.conf” for frs_server
12
input {
internal { # pickup events from rusiem-mq internal
key => "classified"
}}
filter {
}
output {
tcp {
codec => json_lines
host => "172.16.0.125“ # change this for “server region B” IP
port => 5016
}}

12. 13
In node Server Region B:
2. For node “Server Region B” create custom config with suffix “_user.conf” for lsfilter. Example,
“/opt/rusiem/lsfilter/etc/receive_tcp_user.conf“
input {
tcp {
codec => json
port => 5016
type => syslog
add_field => [ "[rcvr][port]", “5016" ]
add_field => [ "[rcvr][proto]", "tcp" ]
queue_type => file
}
}
output {
tcp {
port => 261
codec => json
}
}

13. • Allow out/input tcp connection in /etc/init.d/firewall.sh for A/B node
• Disable FW update in /opt/rusiem/modules_user.dat
• Run command “service frs_server restart” in Server A
• Run command “service lsfilter restart” in Server B
• Check receive events in Node B “tcpdump dst port 5016”
• Profit
14

14. Example B. Agenda.
15
• Server Region A:
• will be receive all events from Region A
source
• Normalize events
• Operate symptomatic and weight events
• Correlate (if need)
• Store events
• Provide events from Region A to B over MQ
• Server Region B:
• will be receive all events from Region A
• Receive normalized events from Region B
over MQ
• Normalize events only from sources Region B
• Operate symptomatic and weight events
• Correlate (if need)
• Store events
• You need collect logs from other server
• Connections allowed only to DMZ. From from DMZ to Local/Region B - denied.

15. Example B
16
1. Change /etc/redis/redis.conf on node Region A:
• Comment row bind 127.0.0.1 with #. Example, #bind 127.0.0.1. Restart redis with command “service
redis-server restart”
• Save and exit from editor
2. Create new user config file for frs_server on node Region A: nano
/opt/rusiem/frs_server/etc/provide_user.conf :
• You need collect logs from other server
• Connections allowed only to DMZ. From from DMZ to Local/Region B - denied.

16. Example B “Server Region A” –
“/opt/rusiem/frs_server/etc/provide_user.conf ” for frs_server
17
input {
internal {
key => "classified"
}}
filter {
}
output {
redis {
host => "127.0.0.1"
data_type => "list"
codec => json
key => "provider"
workers => 1
}}

17. Example B
18
3. On node Region B change /etc/redis/redis.conf:
• Add row:
slaveof 172.15.0.1 # Set ip Node Region A
• Change row: slave-read-only yes to
slave-read-only no
• Save and exit
• Restart redis-server on node B.
Attention! Slaveof row may be only one! We cannot use more that one master node :/
• You need collect logs from other server
• Connections allowed only to DMZ. From from DMZ to Local/Region B - denied.

18. Example B
19
4. On node Region B and Region A change /etc/init.d/firewall.conf:
• On node A add rows:
iptables -A INPUT -p tcp –s you_IP_node_B -d $EXTIP --dport 6379 -j ACCEPT
iptables -A OUTPUT -p tcp -s $EXTIP --sport 6379 –d you_IP_node_B -j ACCEPT
• On node B add rows:
iptables -A INPUT -p tcp –s you_IP_node_A -d $EXTIP --sport 6379 -j ACCEPT
iptables -A OUTPUT -p tcp -s $EXTIP --dport 6379 –d you_IP_node_A -j ACCEPT
5. On node A and B restart firewall with command: /etc/init.d/firewall.sh restart
6. Check events from node A on node B RuSIEM interface.
• You need collect logs from other server
• Connections allowed only to DMZ. From from DMZ to Local/Region B - denied.

19. Our site: https://www.rusiem.com
Facebook: https://www.facebook.com/rvsiem
Telegram news: https://t.me/rusiem
Mail: support@rusiem.com
CEO, Olesya Shelestova oshelestova@rusiem.com
Thank you
20