5.2.2.3. Sending OpenNAC logs to SIEM
To send OpenNAC Enterprise logs to an external SIEM, we need to use the NXLog service.
The necessary steps are detailed below:
5.2.2.3.1. Using NXLog
To configure the sending through NXLog it will be necessary to execute the following script on the machine that we want to send the logs:
bash /usr/share/opennac/utils/nxlog/install_nxlog.sh
Once executed we will have to add the SIEM ip where to send the logs with the hostname “siem_fwd” in the /etc/hosts file.
vi /etc/hosts
The following entry needs to be added:
<SIEM_IP> siem_fwd
For example, if the SIEM has the following ip:
10.10.39.102 siem_fwd
Finally it will be necessary to restart the nxlog service to apply the changes:
systemctl restart nxlog
Note
The install_nxlog.sh script requires connectivity to the OpenNAC Enterprise repository to obtain the packages needed for the installation.
Once the service is configured, the NXLOG healthcheck should display an “OK” status. Refer to the Healthcheck section for more information.
5.2.2.3.2. Logs sent to the SIEM device
The following table provides an overview of the content included in each log sent to the SIEM.
Log |
Description |
|---|---|
radius.log |
Information related to user authentications |
gearmand.log |
Information related to gearmand’s service operation |
mariadb.log |
Information related to MySQL’s service operation |
opennac-admonportal.log |
Information related to the Administration Portal’s application |
opennac-agent-audit.log |
Information that OpenNAC receives from the ON Agent |
opennac-analytics.log |
Information related to the devices |
opennac-api.log |
Information related to the requests made against the API |
opennac-api-doc.log |
Detailed information related to the API calls |
opennac-audit.log |
Information related to the actions performed by a user |
opennac-backup.log |
Information related to the results obtained when generating backups |
opennac-captive.log |
Information related to the Captive Portal |
opennac-captive-analytics.log |
Information related to the Captive Portal for ON Analytics |
opennac-cron.log |
Information related to unhandled errors during cron searches |
opennac-ddbb.log |
Information related to actions performed by OpenNAC Enterprise |
opennac-health.log |
Log for healthcheck process verification |
healthcheck.log |
Information related to errors during healthcheck execution |
opennac-job.log |
Information related to OpenNAC Enterprise’s workers |
opennac-macport.log |
Information related to MACs found in each switch port |
opennac-nd-analytics.log |
Information related to the network devices |
opennac-netdev-compliance.log |
Information used to create network device compliance dashboards |
opennac-poleval-audit.log |
Information related to the audit of policy evaluation execution |
opennac-poleval.log |
Information related to the results of policy evaluations |
opennac-queues.log |
Information related to OpenNAC Enterprise’s worker errors |
ntlm_auth_exec_time.log |
Information related to the time it takes to process NTLM authorizations |
ntlm_auth_exec_time_exceeded.log |
Information related to NTLM requests taking longer than a threshold |
opennac-access.log |
Apache information related to the API |
opennac-error.log |
Apache error information related to the API |
opennac-https-access.log |
Apache information related to the Administration Portal and ON Agent |
opennac-https-error.log |
Apache error information related to the Administration Portal and ON Agent |
messages.log |
Global system messages, such as system error messages |
redis.log |
Information related to the Redis application |
filebeat |
Contains all events related to data being sent to ON Analytics |