CzP introudction

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CzP introudction

Peter Czanik
Hello,

Before flooding the list with my CEE related questions, problems,
proposals, I'd like to introduce myself. I'm Peter Czanik, working for
BalaBit IT Security, the parent company for syslog-ng, a popular syslog
implementation. I'm working with the community on open source Balabit
products and also on what is called patterndb.

Patterndb is a feature of syslog-ng, which is able to extract useful
information from syslog messages. This can also be used as a tool to
convert incoming or stored syslog messages into CEE compliant events.
Once I received cee-base-20100929.xml a few weeks ago, I tried to
convert a few patterns to provide CEE compliant fields and tags. You
will find an example at the end of this e-mail.

While trying to create CEE based patterndb rules, I ran into many
questions and problems. I already shared some of these with Anton
Chuvakin, who made us aware, that the CEE specification is progressing.
He suggested, that we should continue discussion here on the list. So
please expect a flood of e-mails here on the list in the coming days.

And here is a simple example pattern for a successful proftpd login
event converted to use CEE fields and tags.

      <rule provider="patterndb"
id="f5bd9439-fdc7-40c7-870f-60731c77f7a2" class="system">
        <patterns>
          <pattern>@ESTRING:: @(@ESTRING::[@@ESTRING:src_ip:]@) - USER
@ESTRING:acct_name::@ Login successful.</pattern>
        </patterns>
        <examples>
          <example>
            <test_message program="proftpd">ubuntu
(::ffff:192.168.2.179[::ffff:192.168.2.179]) - USER czanik: Login
successful.</test_message>
            <test_values>
              <test_value name="src_ip">::ffff:192.168.2.179</test_value>
              <test_value name="acct_name">czanik</test_value>
            </test_values>
          </example>
        </examples>
        <values>
          <value name="prod_procid">$PID</value>
          <value name="prod_name">$PROGRAM</value>
        </values>
        <tags>
          <tag>login</tag>
          <tag>success</tag>
          <tag>access</tag>
          <tag>acct</tag>
        </tags>
      </rule>

You can read more about patterndb on our website:
http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/pattern_db
or in the documentation:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_pattern_databases.html
and
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_parsers_pattern_databases.html

Best regards,

--
Peter Czanik (CzP) <[hidden email]>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/
Reply | Threaded
Open this post in threaded view
|

Re: CzP introudction

Eric Fitzgerald-2
Thank you Peter for letting us know about your project!

As Anton pointed out, we are still working on the standard, but I'm really interested to hear about the questions and challenges you encountered.

Thanks!
Eric

-----Original Message-----
From: Peter Czanik [mailto:[hidden email]]
Sent: Thursday, November 18, 2010 1:06 AM
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] CzP introudction

Hello,

Before flooding the list with my CEE related questions, problems, proposals, I'd like to introduce myself. I'm Peter Czanik, working for BalaBit IT Security, the parent company for syslog-ng, a popular syslog implementation. I'm working with the community on open source Balabit products and also on what is called patterndb.

Patterndb is a feature of syslog-ng, which is able to extract useful information from syslog messages. This can also be used as a tool to convert incoming or stored syslog messages into CEE compliant events.
Once I received cee-base-20100929.xml a few weeks ago, I tried to convert a few patterns to provide CEE compliant fields and tags. You will find an example at the end of this e-mail.

While trying to create CEE based patterndb rules, I ran into many questions and problems. I already shared some of these with Anton Chuvakin, who made us aware, that the CEE specification is progressing.
He suggested, that we should continue discussion here on the list. So please expect a flood of e-mails here on the list in the coming days.

And here is a simple example pattern for a successful proftpd login event converted to use CEE fields and tags.

      <rule provider="patterndb"
id="f5bd9439-fdc7-40c7-870f-60731c77f7a2" class="system">
        <patterns>
          <pattern>@ESTRING:: @(@ESTRING::[@@ESTRING:src_ip:]@) - USER @ESTRING:acct_name::@ Login successful.</pattern>
        </patterns>
        <examples>
          <example>
            <test_message program="proftpd">ubuntu
(::ffff:192.168.2.179[::ffff:192.168.2.179]) - USER czanik: Login successful.</test_message>
            <test_values>
              <test_value name="src_ip">::ffff:192.168.2.179</test_value>
              <test_value name="acct_name">czanik</test_value>
            </test_values>
          </example>
        </examples>
        <values>
          <value name="prod_procid">$PID</value>
          <value name="prod_name">$PROGRAM</value>
        </values>
        <tags>
          <tag>login</tag>
          <tag>success</tag>
          <tag>access</tag>
          <tag>acct</tag>
        </tags>
      </rule>

You can read more about patterndb on our website:
http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/features/pattern_db
or in the documentation:
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/concepts_pattern_databases.html
and
http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-v3.1-guide-admin-en.html/reference_parsers_pattern_databases.html

Best regards,

--
Peter Czanik (CzP) <[hidden email]>
BalaBit IT Security / syslog-ng upstream http://czanik.blogs.balabit.com/
Reply | Threaded
Open this post in threaded view
|

Re: CzP introudction

Peter Czanik
Hello,

On 11/19/2010 01:44 AM, Eric Fitzgerald wrote:
> Thank you Peter for letting us know about your project!
>  
And thank you for the CEE Overview document, that's a recommended
reading now for my colleagues.

> As Anton pointed out, we are still working on the standard, but I'm really interested to hear about the questions and challenges you encountered.
>  

I have many questions in queue, but I don't want to flood the list. I'll
post one topic per e-mail and one e-mail a day which also makes sure,
that it's easy to track answers.
Bye,

--
Peter Czanik (CzP) <[hidden email]>
BalaBit IT Security / syslog-ng upstream
http://czanik.blogs.balabit.com/