Skip to content

LogSentinel Collector Configuration

Configuration via UI

The LogSentinel Collector exposes a web-based UI on port 8070 that allows you to configure multiple sources quickly. The UI is sycnrhonized with the YAML configuration so you don't have to choose one over the other

Configuration file

Below is a full reference of the configuration options for the LogSentinel Collector.

If you don't specify a data source ID, a new data source is created and the ID is automatically set.

Supported connectors

Supported collector types (all of them except syslog, netflow, honeypot, networkMonitoring and ossec support a list of entries):

  • file - watches one or more files and sends each new line as a separate event
  • database - watches one or more tables using custom queries and sends events based on a comparison column (usually timestmap or sequential ID)
  • mssqlAuditLog - watches MS SQL Server audit log (needs to be properly configured prior to starting the collector)
  • mssqlChangeTracking - watches MS SQL Server change tracking details and sends each change
  • mssqlEventLog - watches the MS SQL Server Windows logs
  • mssqlLogin - watches for MSSQL Server login events
  • windowsEventLog - watches Windows event log and sends each entry
  • exchangeAdminLog - watches the admin log of Microsoft Exchange
  • syslog - used to activate a syslog server that forwards syslog events to LogSentinel
  • sapReadAccessLog - reading SAP's RAL (Read access log)
  • netflow - used to activate a netflow v9 collector (partially compatible with IPFIX)
  • snmp - used to receive SNMP traps
  • oracle - configures auditing and FGA on Oracle DB and watches the DBA_AUDIT_TRAIL and FGA_LOGS tables (extending the database collector)
  • postgre - watches a PostgreSQL database using pgaudit
  • honeypot - acts as a decoy server on pre-defined services, prtocols and ports collecting credentials from malicious attempts
  • networkMonitoring - listens to all packets on a network interfaces, transforms them to flows and sends them to the SIEM
  • vsphere - watches VCenter events and system event logs
  • ossec - receives messages from the OSSEC endpoint agent
  • sshUser - watches remote server user activity using the "w" command
  • directory - watches a given directory for changes (files created, deleted or modified)
  • discovery - scans a given netowkr/cidr for for active IPs and every IP for running services(ssh, mysql...)
  • vaultAuditLog - listens for HashiCorp Vault audit log messages
  • leakedCredentials - watches mail server for email addresses to send for leaked credentials monitoring
  • connectivity - periodically checks if a given host is reachable
  • axonDb - used to interact with AxonDB modifications to turn them into audit trail entries

General configuration

# Data source ID (ApplicationId), OrganizationId and secret obtained from the API credentials page in the dashboard. 
# The dataSourceId can be overridden per targetType
dataSourceId: ba2f0680-5424-11e8-b88d-6f2c1b6625e8
organizationId: ba2cbc90-5424-11e8-b88d-6f2c1b6625e8
secret: d8b63c3d82a6deb56b005a3b8617bf376b6aa6c181021abd0d37e5c5ac9911a1

# The type of event being sent by default
entryType: AUDIT_LOG

# The base URL to connect to. Change only for on-premise deployments
logsentinelBaseUrl: https://api.logsentinel.com

# Keystore configurations. Use only if you need each request to be digitally signed.  
keystorePath: /path/to/keystore.jks
keystorePassword: password
keystoreAlias: alias

# Configure whether the MAC address of the machine is send as a parameter attached to each event
includeMacAddress: false

# Configure whether the local IP address of the machine is send as a parameter attached to each event
includeLocalIp: false

# Configure whether collectors that rely on timestamp to send events should start from events that 
# happen after the collector is installed, or historical events should be consumed and sent as well 
# (not applicable if historical data is not available) 
timestampInitialUseCurrent: true

# Allows trusting self-signed certificates provided by the LogSentinel service. 
# Use only for on-premise installations
trustSelfSignedCertificates: false

# Set this property if collector failover is needed. A stand-by collector is polling the main collector and is 
# ready to take over collection in case the main one fails. Make sure both collectors have identical configuration
mainCollectorUrl: http://192.168.1.1:8070

# Use this property to turn on Collector forwarding. This allows multiple collectors to be installed on-premise 
# which configure their logsentinelBaseUrl to point to the forwarding collector, which in turn forwards the logs to the SIEM server.
forwardingEnabled: false

# Allows authentication of users
authentication:
  enabled: true
  jwtSecret: testtesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttesttest
  jwtSecretVaultKey:
  usernames:
      - TestUsername

File connector

The file connector can parse files in multiple formats (Common log format, delimited, JSON, XML, MySQL audit log, etc.) and retrieve them from multiple sources (Local, SSH, FTP, SMB).

file:
  - dataSourceId: ... # override the default dataSourceId to send events to a custom one
    format: DELIMITED # one of PLAIN, DELIMITED, REGEX, GROK, XML, JSON, COMMON_LOG_FORMAT, MYSQL_LOG, SAP_SECURITY_AUDIT_LOG, HADOOP_LOG, MONGODB_AUDIT_LOG, LINUX_AUDIT_LOG, DATABASE_QUERY_LOG, CUSTOM
    sourceProtocol: LOCAL # defines how to retrieve the data, one of LOCAL, SSH, FTP, SMB, POWERSHELL
    watchFilePaths: # list of files to watch
      - /var/logs/system.log
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    fileConfig:
      watchIntervalMillis: 30000 # period for checking the files for updates 
      supportRotation: true # whether log rotation is needed
      compressionType: #GLIB or ZLIP - used for reading compressed audit log files   
      fromStart: false # whether watching should start from the end or from the start of the file 
    delimitedConfig: ... # see below
    regexConfig: ... # see below
    grokConfig: ... # see below
    accessLogConfig: ... # see below
    jsonConfig: ... # see below
    xmlConfig: ... # see below
    mysqlConfig: ... # see below

    sshConfig: ... # see below
    ftpConfig: ... # see below
    smbConfig: ... # see below
    powershellConfig: ... # see below

Supported file formats

  • Delimited files
  • Regex
  • Grok
  • Common log format
  • JSON
  • XML
  • MySQL
  • Custom (execute custom python script to parse the input)
  • SAP Security Audit Log
  • Hadoop log
  • Linux audit log
  • Database query log (with one logged query per line)
  • MongoDB audit log

The first fix formats above support additional configuration, it can be specified as follows:

Delimited config

Parses text files that are delimtied with a delimiter (comma, tab, semicolon, space, pipe, etc.)

delimitedConfig:
    separator: # if the file has columns, specify the column separator (;,\t)  
    csv: #true or false, whether the CSV syntax should be observed, e.g. escaping quotes;
    actionIdx: #0-based index of the action column
    actorIdx: #0-based index of the actor column
    entityTypeIdx: #0-based index of the entityType column
    entityIdIdx: #0-based index of the entityId column

Regex config

With the regex parser fields can be extracted by specifying (optional) regex patterns. The value obtained is the one from the first capturing group.

regexConfig:
    actorIdRegex: regex
    actionRegex: regex
    entityTypeRegex: regex
    entityIdRegex: regex
    timestampRegex: regex
    paramRegexes:
      paramName1: regex
      paramName2: regex 

Grok config

Grok is a superset of regex (see here) that can be used for extracting structured data. In order to extract data via grok patterns, multiple patterns can be configured and the first one that matches the input line handles the extraction

grokConfig:
    grokPatterns:
      - pattern1
      - pattern2

Example grok patterns for parsing linux auth.log:

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} sshd(?:\[%{POSINT:pid}\])?: (?<action>\w+ \w+) for (invalid user )?%{DATA:actorId} from %{IPORHOST:ip} port %{NUMBER:port} ssh2(: %{GREEDYDATA:signature})?

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} sshd(?:\[%{POSINT:pid}\])?: (?<action>\w+ \w+) user %{DATA:actorId} from %{IPORHOST:ip}

%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} sshd(?:\[%{POSINT:pid}\])?: pam_unix\(sshd:auth\): %{GREEDYDATA:action}; %{GREEDYDATA:auth_params} rhost=%{IPORHOST:ip}\s+user=%{GREEDYDATA:actorId}

Common Log Format (Access log) config

Access log (e.g. NginX and Apache) based on the Common Log Format If no accessLogconfig and accessLogFormat are specified, the default one is used: %h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"

accessLogConfig:
    # the access log format in Common Log Format
    accessLogFormat: format 
    accessLogIgnoredPaths: # option to ignore requests to a list of URIs 
      - path1
      - path2

MySQL Audit Log config

MySQL Audit Log in both the new and old format is supported. The database credentials are needed for initialization purposes:

mysqlConfig:
  - connectionString: jdbc:mysql://localhost:3306/ - database connection string
    username: root database user
    password: pass database password

JSON config

Parse JSON-based log files where each line is a seprate JSON object. In addition to extracting data with JSONPath, regex can be used to further narrow down the required value within the values returned by the JSONPath.

jsonConfig:
  actorIdPath: ... # JSONPath for actorId
  actorIdRegex: ... # regex for actorId
  actorDisplayNamePath: ... # JSONPath for actorDisplayName
  actorDisplayNameRegex: ... # regex for actorDisplayName
  actionPath: ... # JSONPath for action
  actionRegex: ... # regex for action
  entityTypePath: ... # JSONPath for entityType
  entityTypeRegex: ... # regex for entityType
  entityIdPath: ... # JSONPath for entityId
  entityIdRegex: ... # regex for entityId

XML config

Parse XML-based log files where a log element is repeated. In addition to extracting data with XPath, regex can be used to further narrow down the required value within the values returned by the XPath.

xmlConfig:
  logElementName: ... # the name of the opening log element, e.g. logrecord for <logrecord>
  actorIdPath: ... # XPath for actorId
  actorIdRegex: ... # regex for actorId
  actorDisplayNamePath: ... # XPath for actorDisplayName
  actorDisplayNameRegex: ... # regex for actorDisplayName
  actionPath: ... # XPath for action
  actionRegex: ... # regex for action
  entityTypePath: ... # XPath for entityType
  entityTypeRegex: ... # regex for entityType
  entityIdPath: ... # XPath for entityId
  entityIdRegex: ... # regex for entityId

Custom config

Execute a custom python script to parse each line. The script gets each line as an input and should write URL-encoded key-value pairs with parameters to the standard output (e.g. key1=value1&key2=value2). The following ones are reserved for the built-in fields: actorId, action, entityId, entityType, actorDisplayName, originalEventTimestamp. Other key-value pairs are added as params.

customConfig:
   pythonScriptFilePath: ... # absolute path to python script

The scripts can be easily tested in two ways:

  • using a test collector installation
  • using a bash script that feeds each line of the target file to the python script (example)

Pythn scripts can be generated using a visual editor within the collector, based on Blockly.

SSH Source

Fetching remote files by executing tail -f over SSH

sshConfig:
    host: ... # the host (ip or hostname) to connect to
    port: 22 # port to connect to, specify only if non-default is used
    username: ... # ssh username
    password: ... # ssh password
    privateKey: ... # path the a private key (if needed)
    privateKeyPassword: ... # password for the private key

Database connector

A generic connector to fetch logs from database tables

database:
  - jdbcConnectionString: jdbc:mysql://192.168.1.101/db # database connection string
    jdbcUsername: root # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    watchSqlQueries: # list of queries to be executed against the database
      - sql: select * from logs # SQL query
        # which column is used for comparing entries. Only entries with value 
        # of this column above the value of the last sent event will be processed
        criteriaColumn: timestamp
        paginationClause: # a part of the where clause for pagination, can use ${pageSize}, ${from} and ${to} variables
        pageSize: 200 # set the page size for pagination queries
        actorDisplayNameColumn: actorDisplayName # column to get the actorDisplayName
        actorIdColumns: actorId # comma separated columns that comprise the actorId
        actionColumn: action # column to be used for the action
        entityIdColumn: entityId # column to be used for entityId
        entityTypeColumn: entityType # column to be used for entityType
        entityTypeValue: entityType # a hardcoded value for entityType (alternative to specifying a column)
        actionValue: action # a hardcoded value for the action (alternative to specifying a column)
      - sql: select * from events
        criteriaColumn: timestamp2
        actorDisplayNameColumn: actorDisplayName2
        actorIdColumns: actorId2 #comma separated
        actionColumn: action2
        entityIdColumn: entityId2
        entityTypeColumn: entityType2
        entityTypeValue: entityType2
        actionValue: action2

Windows Event Log connector

Reading windows event log locally or remotely (via native interface or via powershell)

windowsEventLog:
  - name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    sourceTypes: # list of windows event log types (Application, Security, System)
      - Application
      - Security
    sources: # an optional allowlist of event log sources (providers) to be processed. 
      - Source1
      - Source2
    excludedSources: # a denylist of event sources (providers) not to be processed. Alternative to specifying "sources"
      - ExecludedSource1
    collectAllEvents: false # by default the collector fetches only a set of base events. Set this to true if all events are required
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    mode: NATIVE # Defines whether to use the NATIVE Win32 API (default) or PowerShell commands (specified by POWERSHELL value)
    remote: # connect to a remote event log. Leave user, domain and password blank to use current user  
      user: 
      domain: 
      password:
      server: # ip address or domain name
      authMethod: # auth constant, starting from 0 https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_rpc_login_flags

Syslog connector

There is only one syslog connector that listens to both TCP and UDP and is capable of parsing any syslog message. In order to designate a source to a data source in the SIEM, a mapping between IP/host should be provided in the sourceConfigurations property. The IP address or hostname should be the one provided in the syslog header, or if the host header is missing, the IP of the sender. The "default" key can be used for a fallback datasource. Alternatively, the hostToDataSourceId map can be used for simpler mapping. It doesnt' support additional configuration options per source.

syslog:
  sourceConfigurations: # a map of source IP(s) or hostnames to data source id(s). Use "default" to match "any IP/host"
    - host: "172.10.2.12"
      dataSourceId: <data-source-id>
    - host: "device-hostname"
      dataSourceId: <data-source-id>
      excludeRegexes:
        - regexToExclude
    - host: "default"
      dataSourceId: <fallback-data-source-id>
  hostToDataSourceId: # simpler and less flexible way to configure mappings
    "172.10.2.12": <data-source-id>
    "device-hostname": <data-source-id>
    "default": <fallback-data-source-id>
  tcpPort: # TCP port to listen on, defaults to 2514
  tcpRfc6587Port: # TCP port to listen on for RFC6587 messages, defaults to 2515
  udpPort: # UDP port to listen to, defaults to 2516
  queueSize: # the number of threads to queue incoming requests
  sendLogsRate: # rate at which data is batched to the server (defaults to 0="immediate")
  name: # human-readable name of the source

NetFlow/IPFIX connector

The collector can be configured to act as a NetFlow v9 and IPFIX collector

netFlow:              # configuration for the NetFlow (v9) connector
  name: ...           # a human-readable name for this config, useful when multiple configurations per type are used
  port: 2055          # the port at which the NetFlow v9 collector listens (default port for NetFlow is 2055)
  hostToDataSourceId:   # a map of source IP(s) or hostnames to data source id(s). Use "default" to match "any IP/host"
    "172.10.2.12": <data-source-id>
    "device-hostname": <data-source-id>
    "default": <fallback-data-source-id>

sFlow connector

The collector can be configured to act as an sFlow collector

sFlow:              # configuration for the sFlow connector
  name: ...           # a human-readable name for this config, useful when multiple configurations per type are used
  port: 6343          # the port at which the sFlow collector listens (default port for sFlow is 6343)
  hostToDataSourceId:   # a map of source IP(s) to data source id(s). Use "default" to match "any IP"
    "127.0.0.1": <some-data-source-id>
    "default": <other-data-source-id>

SNMP connector

LogSentinel Collector can receive SNMP traps and forward them to the server

snmp:
  hostToDataSourceId: # a map of source IP(s) to data source id(s). Use "default" to match "any IP"
    "172.10.2.12": <some-data-source-id>
    "default": <other-data-source-id>
  port: 162 # change to override the default port

Exchange Admin Log connector

Reading Microsoft Exchange Admin log

exchangeAdminLog:
  - exchangeUrl: # url of the exchange server
    username: # username to connect with
    password: # password to connect with (if username and password are not specified, the currenet account is used)
    dateFormat: # override the default date format if needed in order to parse the dates
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used

MS SQL Server connectors

LogSentinel Collector support several different MS SQL Server connectors

Audit Log Connector

mssqlAuditLog:
  - jdbcConnectionString: jdbc:mysql://192.168.1.101/ # database connection string
    jdbcUsername: sa # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events for
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    # path where the MS SQL Server audit log file is stored. 
    # See https://docs.logsentinel.com/collector/sql-server/
    mssqlLogsPath: c:\auditlog\ 

MS SQL Server Change Tracking connector

mssqlChangeTracking:
  - jdbcConnectionString: jdbc:mysql://192.168.1.101/ # database connection string
    jdbcUsername: sa # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events to a
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    databases: # list of databases for which changes have to be tracked
      - db1
      - db2
    # tables for which changes should be ignored (use the full table name, including database and schema)
    ignoredTables: 
      - db1.dbo.table1
      - db2.dbo.table3
    # tables for which changes should be monitored. If not specified, all tables are monitored. 
    includedTables: 
      - db1.dbo.table1
      - db2.dbo.table3

MS SQL Server Event Log connector

mssqlEventLog:
  - ... # same properties as windowsEventLog

MS SQL Server Login connector

mssqlLogin:
  - jdbcConnectionString: jdbc:mssql://192.168.1.101/db # database connection string
    jdbcUsername: root # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple
    includedUsers: ... # a list of users to include (the rest are ignored)
    compactDuplicateLogins: false # whether duplicate login events should be ignored

Oracle connector

The Oracle connector can be used to read Oracle audit logs. Refer to this page for the configurting the audit log.

oracle:
  - jdbcConnectionString: jdbc:oracle:thin:@192.168.1.110:1521:orcl # database connection string
    jdbcUsername: SYS AS SYSDBA # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    fgaPolicies: # Fine Grained Auditing policies
      - objectSchema: TESTUSER #schema
        objectName: PERSONS #table name
        policyName: testPolicy #policy name, necessary
        auditCondition: Age != 0,
        auditColumn: City,
        enabled: true
        statementTypes: SELECT, INSERT, UPDATE, DELETE
    auditPolicies: # Standard audit policies
      # available audit options see with SELECT * FROM SYS.STMT_AUDIT_OPTION_MAP
      - userName: testUser # user to which the policy applies, leave empty to apply for all users
        auditOption: UPDATE TABLE # Action that will be audited
      - auditOption: SELECT TABLE 

PostgreSQL connector

Watches a PostgreSQL database using pgaudit

postgre:
  - name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    jdbcConnectionString: jdbc:postgresql://xxx.xxx.xxx:5432/postgres # the JDBC connection string
    jdbcUsername: ... # postgre username
    jdbcPassword: ... # postgre password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service in millis
    pgauditEnabled: ... # whether pgaudit is required or the native log file is used
    schemas: # schemas to monitor for audit logs
      - public
    excludedTables: # an optional list of tables to exclude from processing
      - ... 

SSH User activitiy connector

This connector monitors the result of the w command to remotely track user activity in a Linux system

sshUser:
  - dataSourceId: c04bbd80-219e-11ea-bc18-c5a6448d7eee
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    sshConfig:
      host: ... # the host (ip or hostname) to connect to
      port: 22 # port to connect to, specify only if non-default is used
      username: ... # ssh username
      password: ... # ssh password
      privateKey: ... # path the a private key (if needed)
      privateKeyPassword: ... # password for the private key

Directory connector

This connector monitors directories for changes

directory:
  - watchDirPath: /var/logs # directory to watch for changes
    sendLogsRate: 30000
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used
    useDocumentApi: false # whether to use the document API (more conventient for tracking documents) 
    sendHash: false # whether to send just the hash of the file rather than the whole body
    maxFileSize: 0 # the max allowed file size to send to the server; otherwise a hash is sent; 0 means no limit (not that there's a server limit)
    skipActorId: false # whether no attempt is made to extract the actorId for each even (auditing functionality must be turned on)
    sendInBatches: true # whether to send the data in batches or in real time as events come

vShpere connector

vSphere:
  - name: # a human-readable name for this config, useful when multiple configurations per type
    username: # vCenter username
    password: # vCenter password
    serverName: # vCenter server name (IP or FQDN)
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service

Leaked credentials connector

Watches mail server for email addresses to send for leaked credentials monitoring.

leakedCredentials:
  - username: # username used to connect to Exchange server
    password: # password used to connect to Exchange server
    groupName: # group name from which emails will be obtain
    ldapDN: #
    ldapProviderUrl: # url of the ldap server
    ldapPrincipal: # DN if ldap server doesn't allow reading for anonymous users
    ldapPassword: # password ldap server doesn't allow reading for anonymous users
    ldapEnabled: false # 'true' when using LDAP, 'false' when using Exchange server
    sendLogsRate: 259200000 # how often is data sent to the LogSentinel service (3 days)

SAP Read Access Log connector

sapReadAccessLog:
  - jdbcConnectionString: jdbc:mssql://192.168.1.101/db # database connection string
    jdbcUsername: root # database username
    jdbcPassword: pass # database password
    sendLogsRate: 30000 # how often is data sent to the LogSentinel service
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used

Network Monitoring

The network monitoring connector does full packet capture on a specified network interface/adapter, transforms the data to flow data and extracts information of interest, like domain names and emails.

networkMonitoring:
    name: # a human-readable name for this config, useful when multiple configurations per type
    dataSourceId: # the ID of the datasource (taken from the data source configuration in the SIEM)
    networkAdapter: # the name of the network adapter to listen to
    promiscuousMode: false # whether to use promiscuous mode

Asset Discovery connector

Enabling asset discovery by specifying CIDR to scan

discovery:
  - monitoredCidr #example cidr:v192.168.0.1/24

Change Data Capture (CDC) connector

Enabling change data capture using Debezium.

cdc:
  # Full documentation for supported databases can be found here:
  # https://debezium.io/docs/connectors/mysql/
  # https://debezium.io/docs/connectors/postgresql/
  # https://debezium.io/docs/connectors/oracle/
  # https://debezium.io/docs/connectors/sqlserver/

  # regexes to extract actor, action, entityId and entityType from stringified data provided by debezium
  - actorRegex: .*
    actionRegex: .*
    entityIdRegex: .*
    entityTypeRegex: .*
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used

    # supported databases are MYSQL, ORACLE, POSTGRES, MSSQL
    database: MYSQL
    offsetFilename: offset.txt #path to file that stores current processed state
    databaseHost: localhost
    databasePort: 3306
    databaseDbname: test # database name
    databaseUser: user
    databasePassword: password
    databaseServerName: serverName # logical name, used to distingush different debezium instances (if any)
    databaseHistoryFilename: history.txt # file where the connector will write and recover DDL statements
    tableWhiteList: table1 # tables that will be monitored (only for some databases)

    # Additional properties supported by debezium can be placed here. Not supported keys are ignored
    # Can override existing hardcoded values of properties offset.flush.interval.ms and server.id
    additionalProperties:
      key1: value1

Honeypot

Enable a honeypot on various ports

honeypot:
  dataSourceId: ... # override the default dataSourceId to send events to a custom one
  testMode: false # testMode disables fetching scanner IPs(mainly for performance) and doesn't add firewall blocking rules
  ignoredCIDR: ... # list of CIDR which wont be blocked if attempted a connection
  protocols:
    - SSH
    - HTTPS
    - HTTP
    - RDP
    - SMB
    - FTP

OSSEC connector

The OSSEC connector serves as an OSSEC manager which receives messages from all the installed OSSEC/Wazuh agents.

ossec:
  hostToDataSourceId: # a map of source IP(s) to data source id(s). Use "default" to match "any IP"
    "172.10.2.12": <some-data-source-id>
    "default": <other-data-source-id>
  sendLogsRate: 30000
  queueSize: 5 
  udpPort: 1514
  agentKeys:
    agentId: key

Vault Audit Log connector

Serving as HasiCorp Vault audit device

vaultAuditLog:
  - port: 9090 # port to listen to
    name: vault-logs # human-readable name
    dataSourceId: ... # the id of the data source to send data for

Email connector

The email connector listens to incoming email and parses the messages as logs:

email:
  #imap url - replace <username> and <password> with real ones. Replace imap.gmail.com for other providers
  # Make sure Imap server accepts requests from outside (gmail does not by default)
  imapInboxUrl: imap://<username>:<password>@imap.gmail.com/INBOX
  actionRegex: .*  # regex extracting action from subject or body
  actionRegexSubject: true # search action in subject or body
  entityIdRegex: .* # regex extracting entityId from subject or body
  entityIdRegexSubject: false # search entityId in subject or body
  entityTypeRegex: .* # regex extracting entityType from subject or body
  entityTypeRegexSubject: false # search entityType in subject or body
  name: ... # a human-readable name for this config, useful when multiple configurations per type are used

Connectivity connector

Connectivity connector periodically pings a given host(configured with host, port and protocol) to check if it is reachable, and sends logs to a configured datasource

connectivity:
    dataSourceId: #Override the default dataSourceId to send events to a custom one
    targets: #A list of objects, which consist of host, port and protocol(TCP/UDP)
      - host: 127.0.0.1
        port: 80
        protocol: TCP
    scanInterval: 2000 #Interval in ms at which the targets are pinged

AxonDB connector

LogSentinel Collector can plug into the AxonDB log

axonDB:
  - trackingToken: 0 # AxonDB tracking token
    action: LOG_AXON # Hardcoded action value
    batchEnabled: false # Use batch queries
    batchInterval: 10000 # Batch interval in case batch queries are enabled
    dataSourceId: ... # override the default dataSourceId to send events to a custom one
    name: ... # a human-readable name for this config, useful when multiple configurations per type are used

HTTPS Configuration

If the collector needs to be accessed via HTTPS (rather than plain HTTP), the following configuration options need to be set:

server.ssl.key-store=/path/to/keystore.jks
server.ssl.key-store-password=password
server.ssl.key-password=password
server.ssl.keyStoreType=JKS
server.ssl.keyAlias=cert
server.ssl.enabled-protocols=TLSv1.2
server.ssl.enabled=true

Instructions on generating the keystore can be found here