This document describes how to use NeXpose's built-in alerting features to integrate with LogLogic. This is part of a series of documents explaining how to integrate NeXpose with different log management products.
Today I will be working with a LogLogic MX VM Appliance, which can be downloaded from the LogLogic website. LogLogic, like many other logging solutions, supports multiple ways of consuming log information from many tools. This blog will describe the simplest integration method, which is NeXpose's syslog alerting feature.
First, we need to make a configuration change in LogLogic to disable automatic identification of log sources. For some reason, LogLogic detects NeXpose syslog messages as Juniper Netscreen Firewall messages. This setting can be found under Administration – System Settings. Select the "No" radio box for Auto-identify Log Sources and then click on Update at the bottom.
Now we will create a Device Type and then a Device for the NeXpose Security Console.
From the LogLogic menu:
- Select the Management dropdown and the select “Device Types”
- Select “Create”. For Name I used “NeXpose Security Console”. For Description I used “NeXpose Alerts”. For Regular Expression, use “NeXpose:” (no quotes). Leave the Network radio button selected and select the Enabled checkbox.
- Save the New DeviceType.
Now, from the Management dropdown:
- Select “Devices”.
- Select “Add New”. For Name, I used “NeXpose Security Console”. For Device Type, select the NeXpose Security Console device type that we previously created. Make sure the Enable Data Collection radio button is selected.
- Click the “Add” button to save your new Device.
You have just created a Device in LogLogic that we can now collect syslog messages from.
Now on the NeXpose side, create the appropriate Alerts under your Site.
- Create or edit a Site from the Home tab
- In the left pane, select Alerting
- Click the "New Alert" button and for "Notification Method", select "Syslog message"
- Fill in the appropriate information. The below screenshot shows a sample of an alert setup. In the Syslog server field, put the IP address of the LogLogic appliance. The setup below alerts on both Scan status events and AND discovered vulnerabilities.
- Save the alert and then save the site.
Now when you start a scan (ad-hoc or scheduled), the syslog messages generated by NeXpose will be sent to the LogLogic solution. At this point, LogLogic should be receiving data from NeXpose that you can search.
For finer-grained handling of messages on the LogLogic side, various message Event Types could be created. For example, NeXpose generates 5 different types of Scan Status message which include: Started, Stopped, Failed, Paused and Resumed.