XLOG Firewall, syslog olarak belirlenmiş adreslere kendi üzerinde tutmuş olduğu log kayıtlarının gönderimini yapabilmektedir. Bu log formatlarının gönderim örnekleri içeriğimizde bulunmaktadır. Bu formatlara göre siem ürünleri parse işlemlerini gerçekleştirebilir.
XLOG Firewall - SYSLOG LOG FORMATLARI
# Firewall Log
Jun 7 15:14:05 192.168.200.1 xlog: { "firewall_id": 447, "interface": "igb5", "source_ip": "192.168.200.1", "destination_ip": "192.168.200.253", "proto": "udp", "reason": "0(match)", "action": "pass", "directions": "out", "log_time": 1623068045, "source_port": 32326, "destination_port": 514, "log_type": "firewall_log", "mac_address": "e4:3a:6e:3d:38:e6" }
# SSLVPN Connect Log
Jun 7 15:14:05 192.168.200.1 xlog: { "username": "xlogtest", "common_name": "xlogtest", "local_ip": "192.168.250.5", "remote_ip": "192.168.250.6", "type": "connect", "log_time": 1623068044, "trusted_ip": "5.176.17.100", "trusted_port": 49922, "log_type": "ssl_vpn_log" }
# SSLVPN Disconnect Log
Jun 7 15:15:38 192.168.200.1 xlog: { "username": "xlogtest", "common_name": "xlogtest", "local_ip": "192.168.250.5", "remote_ip": "192.168.250.6", "type": "disconnect", "log_time": 1623068138, "trusted_ip": "5.176.17.100", "trusted_port": 49922, "bytes_received": 2194, "bytes_sent": 3233, "time_duration": 94, "log_type": "ssl_vpn_log" }
# SSLVPN Error Log
Jun 7 15:15:38 192.168.200.1 xlog: { "username": "xlogtest", "common_name": "client", "untrusted_ip": "37.155.10.55", "type": "error", "log_time": 1698997682, "log_type": "ssl_vpn_log" }
# HTTPS/DNS Log
Jun 7 15:09:02 192.168.200.1 xlog: { "zone_id": 5, "interface": "igb3", "username": "", "source_ip": "192.168.20.174", "mac_address": "f0:03:8c:ec:e2:0b", "domain": "r1---sn-nv47lnl6.googlevideo.com", "destination_ip": "74.125.11.71", "destination_port": "443", "action": "alert", "category": "-9", "json_data": "{}", "log_time": "1623067654", "app_name": "YouTube", "app_id": "164", "log_type": "http_https_log", "proto": "tcp" }
# HTTP Log
Jun 7 15:28:59 192.168.200.1 xlog: { "zone_id": 5, "interface": "igb3", "username": "", "source_ip": "192.168.20.11", "mac_address": "58:40:4e:e8:c9:44", "domain": "xlog.com.tr", "destination_ip": "45.84.189.195", "destination_port": "80", "action": "alert", "category": "9", "json_data": "{ \"type\": \"GET\", \"path\": \"\\\/\", \"protocol\": \"HTTP\\\/1.1\\r\", \"Host\": \" xlog.com.tr\", \"Connection\": \" keep-alive\", \"Upgrade-Insecure-Requests\": \" 1\", \"User-Agent\": \" Mozilla\\\/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\\\/537.36 (KHTML, like Gecko) Chrome\\\/90.0.4430.41 YaBrowser\\\/21.5.0.751 Yowser\\\/2.5 Safari\\\/537.36\", \"Accept\": \" text\\\/html,application\\\/xhtml+xml,application\\\/xml;q=0.9,image\\\/avif,image\\\/webp,image\\\/apng,\\\/;q=0.8,application\\\/signed-exchange;v=b3;q=0.9\", \"Purpose\": \" prefetch\", \"Accept-Encoding\": \" gzip, deflate\", \"Accept-Language\": \" tr,ru;q=0.9,de;q=0.8\" }", "log_time": "1623068871", "app_name": "", "app_id": "0", "log_type": "http_https_log", "proto": "tcp" }
# NAT Log
Jun 7 15:08:12 192.168.200.1 xlog: { "source_port": 55711, "destination_port": 53, "source_ip": "192.168.200.253", "destination_ip": "8.8.8.8", "proto": "udp", "source_nat_ip": "37.130.82.16", "destination_nat_ip": "8.8.8.8", "log_time": 1623067692, "time_duration": 37, "action": "nat", "log_type": "firewall_log", "mac_address": "00:30:67:00:01:d5" }
# IPS/IDS Log
Jun 7 15:08:16 192.168.200.1 xlog: { "mac_address": "00:30:67:00:01:d5", "rule_id": 78, "action": "alert" , "event_type": "alert", "interface": "igb5", "signature_id": "2101411", "source_ip": "192.168.200.253", "rev": "13", "category": "Attempted Information Leak", "destination_ip": "10.0.0.113", "severity": "2", "flow_json": "359776729921978", "metadata_json": "", "proto": "failed", "description": "34##GPL SNMP public access udp", "log_time": 1623067695, "log_type": "ips_ids_log", "destination_port": 161, "source_port": 44142}
Merak edilen sorular