Configuring centralized collection of Nemesida WAF component events | Nemesida WAF

Configuring centralized collection of Nemesida WAF component events

Nemesida WAF can be integrated with external SIEM systems. To do this, you need to configure the collection of events from all servers where Nemesida WAF is installed. There are several ways to do this:

Setting up a centralized event collection using Nemesida WAF Cabinet

The Enterprise plan allows you to organize centralized collection, storage and processing of logs of all Nemesida WAF components using the capabilities of the Nemesida WAF API and Nemesida WAF Cabinet. For for Light and Business plans, the collection of events and their centralized sending to a remote server can be configured independently using standard tools, for example, Rsyslog.

The organization of centralized collection, storage and processing of logs of all components of Nemesida WAF is available by default and does not require additional configuration, it is enough to update all components to the current version. After updating the components, the corresponding functionality will be available in the Nemesida WAF Cabinet. To integrate the functionality with external SIEM systems, the Nemesida WAF API is used.


Event log of the Nemesida WAF components

Setting up a centralized event collection using Rsyslog

Rsyslog is a powerful, secure and high–performance log processing system that accepts data from various sources (systems and applications). It works according to the “client-server” model, so it can be configured as a client or server for centralized logging of other servers, network devices and remote applications. Today we will configure the interaction of two servers (client and server) for centralized storage of logs of Nemesida WAF modules.

The server with the IP address 10.0.0.1 is used for example as a centralized event storage server.

Setting up a centralized event collection server
To configure rsyslog as a network centralized logging server, you need to install protocols (UDP, TCP or both) in the /etc/rsyslog.conf file, which will be used to receive remote messages, system logs, as well as listening ports.

To listen to UDP:

module(load="imudp")
input(type="imudp" port="514")

To listen to TCP:

module(load="imtcp")
input(type="imtcp" port="514")

Specify the location of the file where the events collected from the remote server will be saved:

$template RemoteLogs,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
local6.* ?RemoteLogs
& ~

The parameters %HOSTNAME% and %PROGRAMNAME%.log allow you to create directories with logs for each remote server from which events are received.

Setting up a remote data sending server

In the file /etc/rsyslog.conf of the remote server, we configure the protocol and port that will use Rsyslog during operation.

To listen to UDP:

module(load="imudp")
input(type="imudp" port="514")

To listen to TCP:

module(load="imtcp")
input(type="imtcp" port="514")

Nginx

To collect events with the CRITICAL and ALERT levels from Nginx error logs (files /var/log/nginx/*error.log), add the following lines to the Nginx virtual host file:

server {
...
error_log syslog:server=10.0.0.1:514,facility=local6,tag=nginx;
...
}

In Nginx, for logs error.log, the output of events in syslog with the required priority level is not supported, you can only specify the threshold starting from which events will be transmitted to syslog. The default level is ERROR.

Nemesida AI MLA

For the Nemesida AI MLA module, create a configuration file /etc/rsyslog.d/nwaf/mla.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/mla.log
$InputFileTag mla:
$InputFileStateFile mla_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

Nemesida WAF Update

For the Nemesida WAF Update service, create a configuration file /etc/rsyslog.d/nwaf/update.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/nwaf_update.log
$InputFileTag update:
$InputFileStateFile update_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

Nemesida AI MLC

For the Nemesida AI MLC module, create a configuration file /etc/rsyslog.d/nwaf/mlc.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/mlc.log
$InputFileTag mlc:
$InputFileStateFile mlc_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

Nemesida WAF Scanner

For the Nemesida WAF Scanner module, create a configuration file /etc/rsyslog.d/nwaf/nws.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/nws.log
$InputFileTag nws:
$InputFileStateFile nws_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

All created files must be used in the main configuration file /etc/rsyslog.conf:

$IncludeConfig /etc/rsyslog.d/nwaf/*.conf

To configure sending events to a remote server, you must specify the IP address and destination port using the construction: @@10.0.0.1:514.