Nemesida WAF can be integrated with external SIEM systems. To do this, the first step is to configure, using Rsyslog, the collection of events from all servers where Nemesida WAF is installed.
The Enterprise plan allows you to organize centralized collection, storage and processing of logs of all Nemesida WAF components using the capabilities of the Nemesida WAF API. For for Light and Business plans, the collection of events and their centralized sending to a remote server can be configured independently using standard tools, for example,
Rsyslog.
Rsyslog is a powerful, secure and high–performance log processing system that accepts data from various sources (systems and applications). It works according to the “client-server” model, so it can be configured as a client or server for centralized logging of other servers, network devices and remote applications. Today we will configure the interaction of two servers (client and server) for centralized storage of logs of Nemesida WAF modules.
The server with the IP address
10.0.0.1is used for example as a centralized event storage server.
Setting up a centralized event collection server
To configure rsyslog as a network centralized logging server, you need to install protocols (UDP, TCP or both) in the /etc/rsyslog.conf file, which will be used to receive remote messages, system logs, as well as listening ports.
To listen to UDP:
module(load="imudp") input(type="imudp" port="514")
To listen to TCP:
module(load="imtcp") input(type="imtcp" port="514")
Specify the location of the file where the events collected from the remote server will be saved:
$template RemoteLogs,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log" local6.* ?RemoteLogs & ~
The parameters %HOSTNAME% and %PROGRAMNAME%.log allow you to create directories with logs for each remote server from which events are received.
Setting up a remote data sending server
In the file /etc/rsyslog.confRsyslog during operation.
To listen to UDP:
module(load="imudp") input(type="imudp" port="514")
To listen to TCP:
module(load="imtcp") input(type="imtcp" port="514")
Nginx
To collect events with the CRITICAL and ALERT levels from Nginx error logs (files /var/log/nginx/*error.log), add the following lines to the Nginx virtual host file:
server {
...
error_log syslog:server=10.0.0.1:514,facility=local6,tag=nginx;
...
}
In Nginx, for logs
error.log, the output of events insyslogwith the required priority level is not supported, you can only specify the threshold starting from which events will be transmitted tosyslog. The default level isERROR.
Nemesida AI MLA
For the Nemesida AI MLA module, create a configuration file /etc/rsyslog.d/nwaf/mla.conf, where we add the following lines:
$ModLoad imfile $InputFileName /var/log/nwaf/mla.log $InputFileTag mla: $InputFileStateFile mla_log $InputFileSeverity error $InputFileFacility local6 $InputRunFileMonitor 10.0.0.1 local6.* @@10.0.0.1:514
Nemesida WAF Update
For the Nemesida WAF Update service, create a configuration file /etc/rsyslog.d/nwaf/update.conf, where we add the following lines:
$ModLoad imfile $InputFileName /var/log/nwaf/nwaf_update.log $InputFileTag update: $InputFileStateFile update_log $InputFileSeverity error $InputFileFacility local6 $InputRunFileMonitor 10.0.0.1 local6.* @@10.0.0.1:514
Nemesida AI MLC
For the Nemesida AI MLC module, create a configuration file /etc/rsyslog.d/nwaf/mlc.conf, where we add the following lines:
$ModLoad imfile $InputFileName /var/log/nwaf/mlc.log $InputFileTag mlc: $InputFileStateFile mlc_log $InputFileSeverity error $InputFileFacility local6 $InputRunFileMonitor 10.0.0.1 local6.* @@10.0.0.1:514
Nemesida WAF Scanner
For the Nemesida WAF Scanner module, create a configuration file /etc/rsyslog.d/nwaf/nws.conf, where we add the following lines:
$ModLoad imfile $InputFileName /var/log/nwaf/nws.log $InputFileTag nws: $InputFileStateFile nws_log $InputFileSeverity error $InputFileFacility local6 $InputRunFileMonitor 10.0.0.1 local6.* @@10.0.0.1:514
All created files must be used in the main configuration file /etc/rsyslog.conf:
$IncludeConfig /etc/rsyslog.d/nwaf/*.conf
To configure sending events to a remote server, you must specify the IP address and destination port using the construction: @@10.0.0.1:514.