Currently we have integrated all the cloud Applications components to the Graylog all Messages ie., HiveMQ, APIGateway, Vault, Service Provisioning., etc., From here we have created the another stream with stream rules (message contains unauthorized)to filter required logs and configured the syslogout to send these filtered logs to another SIEM Tool. (Here we are not sending all the logs to the SIEM Tool)
For each application we have different components for example API Gateway---- API-Gateway-xxx1, API-Gateway-xxx2, API-Gateway-xxx3 (source names)
When DevOps team do deployment these components are changing to API-Gateway-xxx5, API-Gateway-xxx6, API-Gateway-xxx7.
When we do configurations in our SIEM tool we use the above source names as Identifiers, if it change our SIEM tool will read those components logs as unknown. Here is the Problem we are facing.
When we check with DevOps Team to give sources names a static, they confirmed that is not possible at this moment. is it possible to change the source name as Static at the time of sending the logs to SIEM Tool.
is it possible to send logs directly to the syslogoutput server by using pipleline rules
Is there any better solution to fix this. please suggest me.
Just a suggestion, Not sure how you ingest syslog/messages but I would create an extractor and/or pipeline that only filters any name called API-Gateway-*. Then send all messages to your SIEM Tool.
This is an example of what I did for Graylog access. Basically user/s logging in my graylog web interface since graylog started using uuid’s I had to come up with away to extract the uuid and match it with the user name from the messages and place them in a unique stream for alerts. This might give you an idea for you problem.
We are ingesting the logs with GELF TCP format in Graylog.
It is not working actually while sending message to SIEM tool from Graylog i have to change the source name
this is log is from our siem tool
11>Mar 25 01:17:17 **hivemq-0.**hivemq-svc.default.svc.cluster.local - - 01:17:17.761 [hivemq-callback-executer] ERROR-deviceMqttSubscribeTopics:null is not valid for deviceId:12345789a
here Hivemq-0 is changing to hivemq-1, hivemq-2 etc.,
**hivemq-0.**hivemq-svc.default.svc.cluster.local--------- SIEM tool read as identifier. once i give the identifier siem tool read as known log and it parses, if it changed SIEM tool read as unknown.
Is there any way to change the source name while sending the messages ???
I tried with changing the syslog out --Plain, Structured, CEF and Full message it not worked
Can you show us this configuration?
I was assuming you were talking about Managing the Outputs on the stream.
If Im correct , it sounds like your talking about your INPUT.
whats not working? The GELF TCP input?
Sorry but I’m unfamiliar with SIEM tools.
Send message through Outputs on the stream to SIEM tools?
It is possible to change “source” name either through extractors or pipelines.
Its hard to troubleshoot you issue without more information.
You can find more information here, that will help other community members understand your issue.
Then they will more likely to join in to help.
Input it is working fine, the logs/messages are receiving to Graylog through Gelf TCP with port 12201. my Idea is send the Graylog messages from Graylog to other SIEM tool through syslog output through 514. Here we are sending only interested events with filtering messages from all messages stream. Here is the problem i am getting send message through Outputs on the stream to another SIEM tools?.
will it be possible to change / replace the source name while sending the messages to the other SIEM tool.
Now i understand, sorry its been a long week here at work. I’m a little slow
Change source name “while sending message”, I dont think so unless someone here has done it but I havent seen it yet.