Sending openNAC’s logs to SIEM¶

openNAC’s logs can be sent to SIEM, the administrators can use TCP or UDP protocol to send the logs. You have to edit the file siem.conf in the path /etc/rsyslog.d/.

For TCP

vim /etc/rsyslog.d/siem.conf
*.* @@<ip_siemdelcliente>:<puerto_tcp>

For UDP

vim /etc/rsyslog.d/siem.conf
*.* @<ip_siemdelcliente>:<puerto_udp>

The next table shows the fields included into every log sent to SIEM device.

../../../../_images/fields_siem_opennac.png

The logs are sent in real time and you can verify the local log file by CLI in the path var/log/opennac/opennac_analytics. Every event that generates a log is inserted in this file and at the same time sent to SIEM device.