Many networks today use a centralized log aggregation tool to collect and view data across the enterprise. Sandfly is designed to work with these tools to send alerts over syslog.
The syslog alerts Sandfly sends is rich structured data. Meaning that Sandfly sends the exact same information to the syslog destination as you would see in the Sandfly UI natively. This means that you can setup Sandfly to monitor your hosts, and you can use your existing monitoring tools to view alerts without needing to look at the Sandfly UI outside of Sandfly configuration tasks.
Even further, the data Sandfly sends contains extended attributes that can allow you to search on a variety of keywords about the data, status of the alert, alert type and other important pieces of information.
Generate Test Alerts To See Syslog Output
Once you set Sandfly up to send syslog output, it may be useful to generate some alerts so that Sandfly can send them to your syslog destination to make sure it is working.
If you want to do a quick test, go onto a host and run the following command:
This will make a suspicious directory under /tmp called "..."
When you run Sandfly against this host you will see an alert activation for a suspicious directory under /tmp. This alert will be sent to your syslog server if you set it up correctly.
After you see this alert, be sure to do a "rmdir /tmp/..." to get rid of the directory or you'll get repeated alarms from Sandfly about the suspicious entry.
Please see the appendix on Threat Simulation on how to make more simulated attacks for Sandfly.
Adding a syslog destination is simple. Click on Add Syslog and put in the following:
Name - A readable reference name for you of what the syslog destination is.
Hostname - Hostname or IP address of the syslog destination.
UDP Port - The syslog UDP port (default is 514).
Username - Optional username.
Password - Optional password.
Send All Alerts - Send all alerts, or only alarms?
Allow Syslog UDP Port Access
Be sure your packet filter on the syslog system allows UDP traffic from the Sandfly server or you won't see any syslog data.
Click Add and the syslog destination is now active.
Updated 2 months ago