Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Syslog Mirroring

From Aanval Wiki
Jump to: navigation, search

Syslog Mirroring outputs a stream of Aanval-imported events as user-defined UDP packets to a specific device and port, allowing users to monitor Aanval activity and/or duplicate or store Aanval log data.

Getting Started

  1. Navigate to Configuration > Console Configuration > Preferences, and scroll to Syslog Mirroring.
  2. Enable mirroring by checking the box next to Syslog Mirroring Enabled.
  3. Enter the Mirror Host Address where the logs will be sent.
  4. Enter the Mirror Host Port. The default and generally used port is 514.
  5. Enter the Mirror Data Format. Plain text to accompany data can be entered as-is. To incorporate any data from a given event, encompass the variable using the ^ symbol. For example, to capture and output the source IP and risk level of all events at the time they occur, enter the following text in the Mirror Data Format field:
  6. Source IP ^sip^ and Risk Level ^priority^ for event occurring on Sensor ^sensor^ on ^timestamp^
  7. Click Update at the bottom of the page to commit all changes.

Below is a full listing of variables to capture and output:

General Header IP Optional
class hdr_ack dip opt_code
className hdr_code dip_ipv6 opt_data
customGrouping hdr_csum ip_csum opt_len
dport hdr_flags ip_hlen opt_proto
eventID hdr_id ip_id
gid hdr_len ip_len
id hdr_off ip_off
payload hdr_res ip_tos
priority hdr_seq ip_ttl
protocol hdr_type ip_ver
sensor hdr_urp sip
signature hdr_win sip_ipv6

See Also