log normalization

[birolemekli]

Hello there. rsyslog my central server windows server audit logs apache logs pfsense logs. I need to normalize them. I have to normalize the web requests ssh logs audit logs and save them to different files. then I will carry out the attack detection by subjecting to correlation. How can liblognorm help me?

[davidelang]

On Thu, 15 Nov 2018, birolemekli wrote: Hello there. rsyslog my central server windows server audit logs apache logs pfsense logs. I need to normalize them. I have to normalize the web requests ssh logs audit logs and save them to different files. then I will carry out the attack detection by subjecting to correlation. How can liblognorm help me?

You use liblognorm (via the mmnormalize module in rsyslog) to parse the logs to extract the important information into variables (held in a JSON structure in rsyslog). This allows you to eliminate the variation in similar messages (all login messages would produce the same variables, no matter what the original logs looked like) you can then use those variables in a template to send a standard ('normalized') log to something to keep track of that sort of event. David Lang

[birolemekli]

I would like to improve myself in the siem area. I collected Windows server, pfsense and web server logs with syslog.

I need to get the log files in the same format.

Windows Server Audit Logs

Web Apache Logs

Firewall Pfsense Logs

Logs are saved in this way. I don't want to record more logs here.
The Windows server log is meaningless. I just want to make it simpler.
Then I will be able to make corrections and attack detection through these logs.
I need your help on this.
Can Liblognorm do this?

Can you help me?

[davidelang]

On Sun, 18 Nov 2018, birolemekli wrote: I would like to improve myself in the siem area. I collected Windows server, pfsense and web server logs with syslog. I need to get the log files in the same format. Windows Server Audit Logs <img width="1251" alt="screenshot" src="https://user-images.githubusercontent.com/43793262/48676511-06a75580-eb79-11e8-914d-1be01fb61b65.png"> Web Apache Logs <img width="1144" alt="screenshot" src="https://user-images.githubusercontent.com/43793262/48676519-1aeb5280-eb79-11e8-8827-bb82af120dec.png"> Firewall Pfsense Logs <img width="905" alt="screenshot" src="https://user-images.githubusercontent.com/43793262/48676524-2179ca00-eb79-11e8-8743-fbd2e1c0f4ea.png"> Logs are saved in this way. I don't want to record more logs here. The Windows server log is meaningless. I just want to make it simpler. Then I will be able to make corrections and attack detection through these logs. I need your help on this. Can Liblognorm do this?

yes

Can you help me?

what sort of help are you looking for? are you looking to hire someone to do this work for you? or are you looking for help learning how to configure the tools David Lang