SOC.OS is able to ingest alerts via API integration or via syslog. Some security tools do not support either method, but are able to report alerts directly to a log file.
In such cases a script or 3rd party tool can be used to forward log file entries line-by-line over syslog.
One such option successfully deployed using rsyslog is detailed below, other services can also be used if preferred.
Rsyslog is an open-source software utility for forwarding log messages in an IP network. Versions are availabe on Windows, UNIX and Unix-based computer systems.
- Download and install latest version of rsyslog
- Rsyslog provides a free trial period, beyond which requires the Professional version to include file monitoring functionality.
- Go to File -> Options -> Config Access -> Load Configuration from File radio button (and confirm location of config - this can be left as default)
- Expand Services in left hand panel, if present right click “Event Log Monitor V2” -> Disable Service
- Services (right click) -> Add Service - > File Monitor
a) Complete File and Path Name (and any other config as preferred, polling interval etc)
b) Confirm (in toolbar) and check Enabled
- In left hand panel, expand Rule Sets -> Default RuleSet -> Forward Syslog -> Actions -> Rsyslog (or if not present, right click Actions, select Add Action -> Syslog Forwarding)
- Set Syslog server and port for the SOC.OS agent, and Protocol Type (TCP), and Confirm
- Save the configuration and Start the service
- You should then be able to exit the Config client and the service continue