AlienVault Setup & Configuration Using Syslog for network traffic
up vote
0
down vote
favorite
I am attempting to deploy an AlienVault instance and am a bit confused about tracking the traffic. I can see that i can set policies and alarms based on certain events and that i think i need to port mirror my main port to my switch and funnel that into my AlienVault Sensor. I have wireless also however and so am a bit confused how that would work with my Draytek 2960 as have 2 vlans going into the AP and cannot port mirror with tagging I do not believe and would also need 2 network interfaces etc.
I'm wondering if using Syslog from router to send all access logs to my AlienVault and passing this info could not be used to track similar information and trigger my alarms and policies via these? Syslog entries just show as Source being router however and data just UserData1 and UserData2 and wondering how
Nov 22 09:18:33 192.168.1.254 Vigor2960: Local User: (MAC=XX:XX:XX:XX:XX:XX) XXX.XXX.1.70:54686 -> XX.XX.XX.XX:443 (TCP)
Format is similar to above so just need some pretty regex I hope to turn this into the data I need if possible?
regex syslog
asked Nov 22 at 9:21
harri
1064
add a comment |
up vote
0
down vote
favorite
I am attempting to deploy an AlienVault instance and am a bit confused about tracking the traffic. I can see that i can set policies and alarms based on certain events and that i think i need to port mirror my main port to my switch and funnel that into my AlienVault Sensor. I have wireless also however and so am a bit confused how that would work with my Draytek 2960 as have 2 vlans going into the AP and cannot port mirror with tagging I do not believe and would also need 2 network interfaces etc.
I'm wondering if using Syslog from router to send all access logs to my AlienVault and passing this info could not be used to track similar information and trigger my alarms and policies via these? Syslog entries just show as Source being router however and data just UserData1 and UserData2 and wondering how
Nov 22 09:18:33 192.168.1.254 Vigor2960: Local User: (MAC=XX:XX:XX:XX:XX:XX) XXX.XXX.1.70:54686 -> XX.XX.XX.XX:443 (TCP)
Format is similar to above so just need some pretty regex I hope to turn this into the data I need if possible?
regex syslog
asked Nov 22 at 9:21
harri
1064
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am attempting to deploy an AlienVault instance and am a bit confused about tracking the traffic. I can see that i can set policies and alarms based on certain events and that i think i need to port mirror my main port to my switch and funnel that into my AlienVault Sensor. I have wireless also however and so am a bit confused how that would work with my Draytek 2960 as have 2 vlans going into the AP and cannot port mirror with tagging I do not believe and would also need 2 network interfaces etc.
I'm wondering if using Syslog from router to send all access logs to my AlienVault and passing this info could not be used to track similar information and trigger my alarms and policies via these? Syslog entries just show as Source being router however and data just UserData1 and UserData2 and wondering how
Nov 22 09:18:33 192.168.1.254 Vigor2960: Local User: (MAC=XX:XX:XX:XX:XX:XX) XXX.XXX.1.70:54686 -> XX.XX.XX.XX:443 (TCP)
Format is similar to above so just need some pretty regex I hope to turn this into the data I need if possible?
regex syslog
asked Nov 22 at 9:21
harri
1064
I am attempting to deploy an AlienVault instance and am a bit confused about tracking the traffic. I can see that i can set policies and alarms based on certain events and that i think i need to port mirror my main port to my switch and funnel that into my AlienVault Sensor. I have wireless also however and so am a bit confused how that would work with my Draytek 2960 as have 2 vlans going into the AP and cannot port mirror with tagging I do not believe and would also need 2 network interfaces etc.
I'm wondering if using Syslog from router to send all access logs to my AlienVault and passing this info could not be used to track similar information and trigger my alarms and policies via these? Syslog entries just show as Source being router however and data just UserData1 and UserData2 and wondering how
Nov 22 09:18:33 192.168.1.254 Vigor2960: Local User: (MAC=XX:XX:XX:XX:XX:XX) XXX.XXX.1.70:54686 -> XX.XX.XX.XX:443 (TCP)
Format is similar to above so just need some pretty regex I hope to turn this into the data I need if possible?
regex syslog
regex syslog
asked Nov 22 at 9:21
harri
1064
asked Nov 22 at 9:21
harri
1064
asked Nov 22 at 9:21
harri
1064
asked Nov 22 at 9:21
harri
1064
asked Nov 22 at 9:21
harri
1064
1064
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377517%2falienvault-setup-configuration-using-syslog-for-network-traffic%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
