Syslog Behavioural Checks¶
Syslog checks are called whenever ntopng collects logs as described in Syslog Log Ingestion. They are not real checks but rather are triggered whenever a syslog event is received. Below you can find the various syslog families.
Fortinet¶
Collects syslog logs from Fortinet devices. This is mainly used to implement Identity Management, to track all connection/disconnection events logged by the Fortined VPN server and associate traffic to users.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
Host Log¶
Collects syslog logs from hosts. This is used to integrate all logs exported by hosts in the network.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
Kerberos/NXLog¶
Collect Kerberos authentication logs exported by NXLog in XML or JSON format. This is mainly used to handle Identity Management (user correlation) when Active Directory is used. In order to integrate Kerberos with this plugin, NXLog should be configured to export Kerberos events using syslog and send them to ntopng as described in Syslog Log Ingestion.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
Example of NXLog nxlog.conf configuration file for XML export:
define ROOT C:\Program Files\nxlog
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf
define LOGDIR %ROOT%\data
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension xml>
Module xm_xml
</Extension>
<Input eventlog>
Module im_msvistalog
Query <QueryList>\
<Query Id="0">\
<Select Path="Security">*[System[(EventID=4768 or EventID=4769)]]</Select>\
</Query>\
</QueryList>
</Input>
<Output out>
Module om_tcp
Host ntopng_ip
Port 4637
<Exec>
$EventTime = integer($EventTime);
to_xml();
</Exec>
</Output>
<Route 1>
Path eventlog => out
</Route>
nBox¶
Collects syslog logs from nBox appliances. This is used to get notifications about services (start, stop, failures, crashes).
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
OpenVPN¶
Collects syslog logs from devices running OpenVPN. This is mainly used to implement Identity Management, to track all connection/disconnection events logged by the OpenVPN server and associate traffic to users.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
OPNsense¶
Collects syslog logs from OPNsense devices. This is mainly used to implement Identity Management, to track all connection/disconnection events logged by the OPNsense VPN server and associate traffic to users.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
SonicWALL¶
Collects syslog logs from SonicWALL devices. This is mainly used to implement Identity Management, to track all connection/disconnection events logged by the SonicWALL VPN server and associate traffic to users.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
Sophos¶
Collects syslog logs from Sophos devices. This is mainly used to implement Identity Management, to track all connection/disconnection events logged by the Sophos VPN server and associate traffic to users.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity
Suricata¶
Collects Suricata events in EVE JSON format through syslog. The EVE JSON output facility in Suricata outputs flows, alerts, anomalies, metadata, file info and protocol specific records. This can be used to collect flows (similar to Netflow), alerts, or both from Suricata.
Enabled by Default - requires the Syslog Producer configuration for Logs Demultiplexing as described in Syslog Log Ingestion.
Category: Cybersecurity