If you use Splunk or other log management tool, it is possible to export the alert logs from Sucuri’s WAF directly via syslog (UDP). This option is only available for customers on the CloudProxy Enterprise plan.

Configuring Splunk

To get started, you need to go to your Splunk dashboard and setup a new data input (under Settings->Data Input). In there, choose an UDP input and create a new listener on any port you wish. This document from Splunk explains how to do so:

Receiving Sucuri Events

Once you have your Splunk dashboard configured, you need to contact Sucuri’s support team or account manager and provide them with the following information:

– IP address of your splunk server
– UDP port chosen
– Sites you wish to have the alerts forwarded

Sucuri will configure the forwarder on their end within 24 hours and start sending the alerts to your server. They will also provide their IP address to be allowed (every other should be blocked on that specific listener).

Alert format

The alerts will be send via the Syslog format, following the OSSEC alert structure:

Mar 4 13:49:29 SOURCEIP Mar 4 13:52:22 hostname ossec: Alert Level: 5; Rule: 100222 – Web server 400 error code (via POST).; Location: edgeserver->/var/log/nginx/domain.access.log; srcip: 1.2.3.4 / Country; 1.1.1.1 – – [04/Mar/2016:13:49:26 -0500] “POST / HTTP/1.1” 404 357 “http://domain” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36”

Which can be easily parsed on Splunk’s end.

 

in ConfigurationSucuri CloudProxy

0

0

Related Articles

Leave a Reply