Forward DHCP logs from insightIDR to a remote syslog server

eoliveira · August 16, 2021, 9:21pm

I found the plugin below that would allow me to send DHCP logs from insightIDR to a remote Syslog server. However, the GitHub associated with this plugin does not exist anymore. Does anyone know how if I have any options? I need to feed DHCP logs to a specific application.

mike_rinehart · August 17, 2021, 2:55pm

Hi @eoliveira - the link to the GitHub source for that plugin is indeed incorrect - we are working on updating it right now! As far as using the plugin goes, you should not need to access the GitHub source for it - you can install the plugin directly into InsightConnect with the Install button in the Extension Library

eoliveira · August 17, 2021, 3:22pm

Hi @mike_rinehart. Thank you for your answer. I’m using RapidIDR at the moment. Are you saying that plugin is only available for InsightConnet? If so, is there any other way that I could either forward the DHCP logs from InsightIDR to a remote Syslog or perhaps re-purpose your collector to send the DHCP logs over to the remote Syslog as well as InsightIDR?

mike_rinehart · August 17, 2021, 5:23pm

Hi @eoliveira - yes, that plugin is only available for InsightConnect. As for the InsightIDR component, unfortunately I do not know. I would suggest asking in the InsightIDR forum within Discuss or reaching out to your sales rep/support to see if they can provide any assistance with that.

@holly_wilsey , can we move this thread over to the InsightIDR forum so that @eoliveira can get better assistance there?

holly_wilsey · August 17, 2021, 6:04pm

I’ve shifted the thread so we can look to get some InsightIDR eyes on this question.

SDavis · August 17, 2021, 6:22pm

@eoliveira,

In regards to assisting on the IDR side, I would love to be of any assistance. Just verifying that you are trying to get dhcp logs from within IDR to be forwarded to a Syslog server?

eoliveira · August 17, 2021, 6:25pm

That is corret, Stephen

SDavis · August 17, 2021, 6:48pm

Gotcha. Okay, so as far as I’m aware, there isn’t currently a way to export log data from an IDR Event Source to a syslog server directly and automatically. That being said there are a few ideas that come to mind you might want to look at. The first would be to use the REST API to export logs directly from your DHCP log sets. You can find information about that here:

https://docs.rapid7.com/insightidr/insightidr-rest-api/

The other option would be, if possible, to use nxlog on that DHCP server where you would not only be sending the DHCP log data to IDR, but could also be sending it to whichever syslog server you need to. Here is the link for nxlog:

https://docs.rapid7.com/insightidr/nxlog

eoliveira · August 17, 2021, 6:56pm

Thank you very much for your insight, Stephen. I guess I have to go with nxlog. Is there any advantage (besides rapid7 offering support ) between using your native collector over nxlog?

teresa_copple1 · August 17, 2021, 7:17pm

@eoliveira Good question. What @SDavis is suggesting is to run Nxlog somewhere in your organization, and then have it split the logs out to two destinations: InsightIDR and your remote syslog server. Most people just install it onto their InsightIDR Collector (s) for simplicity, but you can install it wherever you like. Below is an example of how the nxlog.conf would look if you are collecting Windows DHCP logs and have installed Nxlog onto a Windows host. As you can see, you just grab your logs and send to two Outputs. If you want to install it onto a Linux host instead, that also rather easy; we have some examples of this in our Docs, or you can use this blog that I wrote as a guide: Audit Log Monitoring in Our SIEM Solution, InsightIDR | Rapid7 Blog Skip down to the part about installing Nxlog onto a Linux host.

I hope this helps!

SDavis · August 17, 2021, 7:17pm

@eoliveira,

No worries! Honestly nothing comes to mind. I will say that using nxlog is more difficult to initially set up than simply configuring a DHCP Event Source in IDR. I also see @teresa_copple1 is posting as well, she is THE nxlog guru!

teresa_copple1 · August 17, 2021, 7:29pm

#This sample nxlog.conf file can be used to read Microsoft DHCP log files and send them to InsightIDR using syslog.
#Send the logs to InsightIDR in syslog_bsd format.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension _syslog>
    Module  xm_syslog
</Extension>

<Input in_dhcp>
 Module  im_file
 #Change the location below to where the DHCP logs are.
 File "C:\\Windows\\Sysnative\\dhcp\\DhcpSrvLog-*.log"
 InputType LineBased
 SavePos TRUE
 <Exec>
	if $raw_event =~ /^#/ drop();
	else

{
		to_syslog_bsd();
	}
 </Exec>
 </Input>
 
<Output out1>
   #If you wish to send the logs using tcp instead of udp, change the module below to om_tcp.
   Module      om_udp
   #This is the IP address of the InsightIDR Collector
   Host			192.168.0.156
   #This is the port configured on the Event Source
   Port        10400
</Output>

<Output out2>
   #If you wish to send the logs using tcp instead of udp, change the module below to om_tcp.
   Module      om_udp
   #This is the IP address of your second destination
   Host			<Enter IP address or hostname of the destination>
   #This is the syslog port your destination is listening on
   Port        514
</Output>

<Route 1>
   Path        in_dhcp=> out1, out2
</Route>