This is lightweight Tiny UDP Syslog Server which can be configured:
- To receive UDP Syslogs from PAN Traps ESM Server - currently configured for Treats - Threat Prevention Messages.
- Send DEX Updates to your platform.
There are couple of Settings that need to be configured before running the Script:
a. To Accept requests from Host IP running the Script
b. Configure a new DEX Account (note <Name>@<Username> to be used in below configuration)
b. To Define a Web-Services Composite Property (default name is "TrapsEvents").
i. You need to create a Web-Service Property in your Platform / Data-Exchange DEX / Web-Services Properties
Property Name: default "TrapsEvents" - Type Composite (configurable from syslogfs.py)
ii. Then Configure the following mapped sub-properties:
- TimeStamp (String) - Inv
- Source (String) - Inv
- Type (String) - Inv
- Content (String) - Inv
- Message (String)
iii. You can configure Aggregate Settings to keep history of Updates received.
Note: For DEX-Web-Services Account make sure to note both Account name / username as they need to be entered as: name@username in the following section.
Fill in the IP, User/Pass for Web-APIs and User/Pass for DEX-Web-Services Account:
---
counterActIP: <your-ip>
Web-API:
User: <your-username>
Password: <your-password>
DEX-Web-Serivces:
User: <name>@<username> # for DEX
Password: <your-password>
LOG_ENABLE = False # Set to True if you want to enable Logging to LOG_FILE - Screen Logging is enabled by default.
LOG_FILE = 'logfile.log' # filename of Logging File
HOST, PORT = "0.0.0.0", 514 # IP (0.0.0.0 : for all interfaces), UDP port setting (default UDP Port= 514)
propertyName = "TrapsEvents" # Property name to be used in FS Web-Service DEX Composite Property
python syslogfs.py
OR
sudo python syslogfs.py
Now you can configure ESM Server to send Syslogs to Host IP and UDP port configured (default 514).
You can find a tiny syslog client under client directory - you can customize test_client.py with IPs of Syslog server and IPs to be tested within counterACT via Simulated Syslog messages.
python test_client.py
Now you can visit either endpoints properties or Inventory in CounterACT to verify that you have received the TrapsEvents Property.
You can build your own version of Docker Container using the following command (executed within same folder of the scrips / Dockerfile):
docker build . -t hkarhani/syslogfs
Then you can run the built container using the following command:
docker run -it -p 514:514/udp hkarhani/syslogfs
You might need to verify the mapped ports in case any changes from default UDP port 514 is being configured either within the Script or while being exposed on the Docker host.
If port is used on the docker host you can change mapping to different ports such as 5514 instead, while running in background, and removing docker host once terminated:
docker run -d --rm -p 5514:514/udp hkarhani/syslogfs