Nemesida WAF can be integrated with external SIEM systems. To do this, the first step is to configure, using Rsyslog, the collection of events from all servers where Nemesida WAF is installed.

Rsyslog is a powerful, secure and high–performance log processing system that accepts data from various sources (systems and applications). It works according to the “client-server” model, so it can be configured as a client or server for centralized logging of other servers, network devices and remote applications. Today we will configure the interaction of two servers (client and server) for centralized storage of logs of Nemesida WAF modules.

The server with the IP address 10.0.0.1 is used for example as a centralized event storage server.

Setting up a centralized event collection server

To configure rsyslog as a network centralized logging server, you need to install protocols (UDP, TCP or both) in the /etc/rsyslog.conf file, which will be used to receive remote messages, system logs, as well as listening ports.
To listen to UDP:

module(load="imudp")
input(type="imudp" port="514")

To listen to TCP:

module(load="imtcp")
input(type="imtcp" port="514")

Specify the location of the file where the events collected from the remote server will be saved:

$template RemoteLogs,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
local6.* ?RemoteLogs
& ~

The parameters %HOSTNAME% and %PROGRAMNAME%.log allow you to create directories with logs for each remote server from which events are received.

Setting up a remote data sending server

In the file /etc/rsyslog.confRsyslog during operation.
To listen to UDP:

module(load="imudp")
input(type="imudp" port="514")

To listen to TCP:

module(load="imtcp")
input(type="imtcp" port="514")

Nginx

To collect events with the CRITICAL and ALERT levels from Nginx error logs (files /var/log/nginx/*error.log), add the following lines to the Nginx virtual host file:

server {
...
error_log syslog:server=10.0.0.1:514,facility=local6,tag=nginx;
...
}

In Nginx, for logs error.log, the output of events in syslog with the required priority level is not supported, you can only specify the threshold starting from which events will be transmitted to syslog. The default level is ERROR.

Nemesida AI MLA

For the Nemesida AI MLA module, create a configuration file /etc/rsyslog.d/nwaf/mla.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/mla.log
$InputFileTag mla:
$InputFileStateFile mla_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

Nemesida WAF Update

For the Nemesida WAF Update service, create a configuration file /etc/rsyslog.d/nwaf/update.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/nwaf_update.log
$InputFileTag update:
$InputFileStateFile update_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

Nemesida AI MLC

For the Nemesida AI MLC module, create a configuration file /etc/rsyslog.d/nwaf/mlc.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/mlc.log
$InputFileTag mlc:
$InputFileStateFile mlc_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

Nemesida WAF Scanner

For the Nemesida WAF Scanner module, create a configuration file /etc/rsyslog.d/nwaf/nws.conf, where we add the following lines:

$ModLoad imfile
$InputFileName /var/log/nwaf/nws.log
$InputFileTag nws:
$InputFileStateFile nws_log
$InputFileSeverity error
$InputFileFacility local6
$InputRunFileMonitor
10.0.0.1

local6.* @@10.0.0.1:514

All created files must be used in the main configuration file /etc/rsyslog.conf:

$IncludeConfig /etc/rsyslog.d/nwaf/*.conf

To configure sending events to a remote server, you must specify the IP address and destination port using the construction: @@10.0.0.1:514.