Shulou(Shulou.com)05/31 Report--

How to collect the enterprise's cloud logs to the local SIEM? for this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

Background

For the enterprises of Party A, it is inevitable to use public cloud services. The business on the public cloud is generally not connected with the enterprise intranet, and the log collection cannot be carried out in accordance with the log collection methods of the intranet. After investigating the relevant documents of Ali Cloud Log Service and passing the test verification, the author has landed the following process of log collection in Ali Cloud console. If you want to collect the logs of each CVM on Ali Cloud, the process is similar.

1. Ali Cloud console operates audit logs to create traces

Create a trace-create trail

Note that you need to charge for the space for storing logs. The details are as follows: the price of log service

For small customers, the main charge item is public network read traffic, 0.8 CNY / G:

A bucket needs to be created for subsequent consumption (reading logs locally)

After submission, the trace was created successfully.

2. Ali Cloud console configures audit log delivery

Post the configuration audit to the log service SLS. The official link is as follows

Deliver configuration audit logs to SLS

Create RAM users and assign permissions

Refer to the creation of RAM users, you will get AccessKeyI D and AccessKey Secrete

Second, you need to assign permissions to the created RAM user. In order to have permission to consume logs, you need to configure permissions as AliyunLogFullAccess.

Consume audit logs and send them to the log collection server of SIEM

The official documents for log delivery are as follows: deliver logs to SIEM via Syslog

The script for log collection is as follows: sync_data_to_syslog.py

Aliyun-log-python-sdk needs to be installed

Python- m pip install aliyun-log-python-sdk-U

Before running the script, you need to configure the following parameters based on the results of the first two steps:

Endpoint = "cn-huhehaote.log.aliyuncs.com" accessKeyId = "LTA*" # fill in accessKey = "JiV*" according to your accessId # fill in project = "aliyun-event-trail" logstore = "actiontrail_aliyun-event-trail" consumer_group = "sync_data" according to your accesskey

Endpoint can be seen in the overview under the corresponding project of CLS.

Logstore can be seen at the following location under project

After configuring the parameters of the server IP and port that receive the log, execute the python script. In order to facilitate the test and observation, we can add one line of log printing.

The effect is as follows:

Next is the processing of the log collection server. A log example is provided below, which is a standard action of SIEM processing, which will not be described in detail in this article.

{"acsRegion": "cn-hangzhou", "additionalEventData": {"loginAccount": "*", "isMFAChecked": "false", "callback": "https://account.console.aliyun.com/?spm=5176.10***8.top-nav.daccount.3bd9****u"},"eventId":" eb4f64bc-2515-4049-b381-7ca6* "," eventName ":" ConsoleSignin "," eventRW ":" Write " "eventSource": "http://account.aliyun.com/account_init/init.htm","eventTime":" 2021-01-24T13:49:39Z "," eventType ":" ConsoleSignin "," eventVersion ":" 1 "," requestId ":" eb4f64bc-2515-4049 color b3 * "," serviceName ":" AasCustomer "," sourceIpAddress ":" 220.181.41.* "," userAgent ":" Mozilla/5.0 (Windows NT 10.0) Win64; x64 Rv:84.0) Gecko/20100101 Firefox/84.0 "," userIdentity ": {" accountId ":" 15538384* "," principalId ":" 15538384* "," type ":" root-account "," userName ":" root "} | | _ _ topic__=actiontrail_audit_event | | _ _ source__=actiontrail_internal | | _ _ tag__:__pack_id__=5b3977dea4ee*9 | event= {" acsRegion ":" cn-hangzhou " "additionalEventData": {"callbackUrl": "https://home.console.aliyun.com/","mfaChecked":"false"},"errorMessage":"success","eventId":"95.20_161149655*******","eventName":"ConsoleSignin","eventRW":"Write","eventSource":"signin.aliyun.com","eventTime":"2021-01-24T13:55:53Z","eventType":"ConsoleSignin","eventVersion":"1"," "requestId": "95.20 million 1611496553 *", "serviceName": "AasSub", "sourceIpAddress": "220.181.41.*", "userAgent": "Mozilla/5.0 (Windows NT 10.0) Win64; x64 Rv:84.0) Gecko/20100101 Firefox/84.0 "," userIdentity ": {" accountId ":" 1553838 * "," principalId ":" 25983001* "," type ":" ram-user "," userName ":" sec*** "}} this is the answer to the question on how to collect the enterprise's cloud logs to the local SIEM. I hope the above content can be helpful to you. If you still have a lot of questions to solve, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.