Hello guys,
I have a graylog environment receiving logs from my SentinelOne XDR console, but I am not able to parser the logs. The logs received are CEF2.
Here is a sample of the logs received:
20:34:57,360 sentinel - CEF:2|SentinelOne|Mgmt|ip=20.20.21.22|eventID=5126|eventDesc=SentinelOne: Device Control connected USB Microsoft Microsoft® LifeCam HD-3000 on PC-01 (kdbuu)|eventSeverity=1|rt=2022-07-11 20:33:24.267876|endpointDeviceControlRuleId=1397004722801134701 |endpointDeviceControlInterface=USB |endpointDeviceControlClass=01h|endpointDeviceControlVendor=45E|endpointDeviceControlProduct=779|endpointDeviceControlSerial=|endpointDeviceControlDeviceName=Microsoft Microsoft® LifeCam HD-3000|endpointDeviceControlBluetoothVersion=N/A|endpointDeviceControlBluetoothMinorClass=N/A|deviceRuleBluetoothLmpVersion=N/A|endpointDeviceControlBluetoothProfileUuids=N/A|endpointDeviceControlEventType=connected|bluetoothAddress=|gattServices=|manufacturerName=|deviceInformationServiceInfoKey=|deviceInformationServiceInfoValue=|cat=EndpointDeviceControlEvent|sourceAgentLastActivityTimestamp=2022-07-11 20:33:20.038312|sourceAgentRegisterTimestamp=2022-06-22 14:38:27.797086|sourceNetworkState=connected|sourceOsRevision=22000|sourceOsType=windows|sourceAgentUuid=9c63d05b65ce44298738e8a9dbabb3b3|sourceFqdn=PC01.LOCAL|sourceThreatCount=0|sourceMgmtPrecievedAddress=20.20.21.22|sourceDnsDomain=LOCAL|sourceHostName=PC-1|sourceUserName=kdbuuu|sourceUserId=S-1-5-21-2801299722-746852668-3695822339-4257|sourceAgentId=1448544056058951621|sourceGroupId=1301316714008478194|sourceGroupName=Default Group|sourceIpAddresses=[‘192.168.0.124’, ‘fe80::70b3:8760:77a8:e992’]|sourceMacAddresses=[‘34:64:a9:00:2f:ce’]|activityID=1462493442640841981|activityType=5126|siteId=1713983312369|siteName=AV01 - BRAZIL|accountId=672373269|accountName=SITE LOCAL|notificationScope=SITE
Hi!
I already tried to configure an INPUT of the CEF UDP type, but the logs do not appear!!
When I configure the input with SYSLOG UDP they appear but without the parser.
Do you have any idea why CEF UDP doesn’t work?
Not sure how you configure that input BUT you should have seen something on CEF UDP since the logs that are shipped are in CEF. Curious when you had CEF UDP input configured and did not see logs appear, by chance did you try a tcpdump on Graylog? This should have shown more info on what was happing.
Not sure, we would nee to see more info on what your seeing. Right now Im take a guess.
Check if ports are correct on INPUT ( Input port config match the senders port)
If a firewall is in enabled insure the CEF UDP port is opened.
Check Date/time
Check configuration on CEF UDP are correct.
Use a different CEF input.
I’m just guessing at this point. Don’t have any clue how you configured your setup.
Hello,
Firewall rules are ok! The logs are arriving on UDP port 5555 and I see the requests in tcpdump!
I configured the entry for RAW/PlainText UDP on port 5555 and the logs are being seen in the graylog, but without parser.
You could try a extractor on the input but I’m not sure that would help. I can modify and create but as far as removing parts of the logs being sent and modify before the INPUT , I have not done that. I have had to adjust how logs were sent to correspond to the input used.
Maybe if @tmacgbay is around he may have an idea using a pipeline.
What doesn’t seam right is that why CEF Input is there because the type of log message is being sent. I looked in GitHub and seen other issues with CEF input. But that was for older versions of GL.
I am using a Syslog-TCP-Input with this pipeline-rule:
rule "Sentinelone Process CEF"
when
contains(to_string($message.message), "CEF:0", true)
then
let result = regex(("(CEF:.*)$"),to_string($message.message));
set_field("pure_cef", result["0"]);
set_fields(parse_cef(to_string($message.pure_cef), false));
set_field("message", $message.pure_cef);
remove_field("pure_cef");
end