ePO can forward received threat events directly to a syslog server, which is defined in ePO as a Registered Server. This article guides you through setting up a syslog environment for use in testing.

NOTE: This article isn't intended for troubleshooting issues when forwarding events to an existing syslog server. Instead, the aim is to help in setting up a simple, free syslog environment for testing and evaluation purposes.

Prerequisites
Before you begin, you must have ePO 5.9.0 or later installed.

The following software is needed:

• A hypervisor capable of running the virtual machine, such as VMWare Player or VirtualBox.
• Bitnami Elk Stack: A bundled implementation of three syslog components, delivered as a virtual machine (VM).
  
  ​NOTE: At the time of writing this article (July 2023), the current version of Bitnami is 8.8.2-0.

1. Deploying and configuring the Bitnami ELK VM:  

• Download the Bitnami Elk Stack VM, and deploy it in your environment.
• Power on the VM.
• On the logon screen, the username and randomly generated password for the default Kibana user is displayed. Make a note of the password, as it's needed later (unless you decide to change it during the installation).
• By default, the IP address is set via DHCP. Make a note of the IP address that's displayed on the logon screen.
• Log on to the VM using the default username bitnami. The password is bitnami.
• You're prompted to choose a new password for the bitnami user. Choose a secure password.

 

1. To enable root logon, run the following command and press Enter, and confirm a new secure password:
   
   sudo passwd root
    
2. To enable ssh, run the following commands:

3. Enable root ssh access:
   1. Edit /etc/ssh/sshd_config:
      
      sudo nano /etc/ssh/sshd_config
       
   2. Locate the line that starts with PermitRootLogin.
   3. Change no to yes. The final line should read as follows:
      
      PermitRootLogin yes
       
   4. Locate the line that starts with PasswordAuthentication, and change no to yes.
   5. Locate the line that starts with ChallengeResponseAuthentication, and again change no to yes.
   6. Save the file.
   7. To restart the ssh server, run the following command:
      
      sudo systemctl restart ssh

1. Edit /etc/hostname, and update it with the required host name.
2. Edit /etc/hosts, and update it with the required host name for the 127.0.0.1 entries.
3. To restart the VM and apply the changes, run the following command:
   
   sudo shutdown -r now

 

2. Create a self-signed certificate:

1. Log back into the VM using the bitnami user.
2. Run the following commands:
   
   sudo mkdir /opt/bitnami/logstash/ssl
   cd /opt/bitnami/logstash/ssl
   sudo openssl req -x509 -days 3650 -nodes -newkey rsa:2048 -keyout logstash-remote.key -out logstash-remote.crt
    
3. When prompted, enter the details for the certificate. Set the common name to the fully qualified domain name (FQDN) of the VM.
4. To change the permissions on the key file and allow logstash to read it, type the following command:
   
   sudo chmod 644 logstash-remote.key

 

3. Configure the syslog receiver (logstash):

1. Edit the file /opt/bitnami/logstash/pipeline/logstash.conf.
2. Edit the tcp section as follows:

3. Edit the output section as follows:
   
   output {  
     elasticsearch {
       hosts => ["127.0.0.1:9200"]
       document_id => "%{LOGSTASH_CHECKSUM}"
       index => "eposyslog-%{+YYYY.MM.dd}"
     }
   }

4. Save the file.
5. Edit the nftables firewall config file to allow inbound connections to port 6514:
   
   sudo nano /etc/nftables.conf
    
6. Locate the line that starts with tcp dport and add 6514 to the list of ports. The final line should read as follows:
   
   tcp dport { 22, 80, 443, 6514 } accept
    
7. Save the file.
8. Run the following command to restart the firewall:
   
   sudo systemctl restart nftables.service
    

1. As mentioned previously, when you install the VM, it's configured with a random password for the default user account. If you want to change the password, run the following command:
   
   sudo /opt/bitnami/apache2/bin/htpasswd -c /opt/bitnami/kibana/config/password user
    
2. Enter a new password when prompted.
3. To restart logstash, type the following command:
   
   sudo /opt/bitnami/ctlscript.sh restart logstash

4. Configure ePO to use the new server:

1. Log on to the ePO console.
2. Navigate to Menu, Configuration, Registered Servers.
3. Click New Server.
4. From the Server type menu on the Description page, select Syslog Server.
5. Specify a unique name and any details, and then click Next.
6. From the Registered Server Builder page, configure the following settings:​

• Server name - Enter the IP address of the syslog server.
• TCP port number - Enter 6514.
• Enable event forwarding - This option enables event forwarding from the Agent Handler to this syslog server.

7. Click Test Connection. This action verifies the connection to your syslog server. You now see the following message:
   
   Syslog connection success
    
8. Click Save.

5. You can now access the syslog server using a web browser.

1. Enter the IP address noted in Step A into the browser URL. 
2. You're prompted to log on. Use the default user for the username and the random password noted in step A. 
   
   NOTE: If you've reset the password in optional step 3, make sure that you use that password, and not the random one noted at the start.
   
   The Elastic homepage is displayed with the Start by adding integrations dialog box.
    
3. Click the Explore on my own link.
4. Click the menu icon at the top-left corner, scroll down, and select Stack Management.
5. Under Data, select Index Management. On the Indices tab, you should see at least one index called eposyslog-<date>
   Here, <date> is the current date.
6. Under Kibana, select Data Views. Click Create Data View.
7. Configure the data view:

1. Enter a name. For example, ePO Syslog.
2. In the Index Pattern field, enter eposyslog*
3. In the Timestamp field, select @timestamp.

8. Click Save data view to kibana.
9. To view the received syslog events, from the menu at the top-left corner, select Discover.
   
   You now see at least one event displayed with the following message:
   
   If you can see this, ePO has successfully tested the connection to your syslog receiver.

You have now configured a syslog environment for use with ePO.