Sentinel One - Connection refused
82 views
Skip to first unread message
christineIT
Jun 24, 2024, 3:38:53 PM6/24/24
to Wazuh | Mailing List
Hello everyone, this is my first post on this channel.
A week ago I have started working with Wazuh, and it looks like a great tool . My first task has been to integrate sentinelone logs but I have encountered several issues.
I followed the following link
Packages in the syslog-ng installation --> I had to uninstall and reinstall syslog-ng packages syslog-ng-core syslog-ng-mod-* and then change the version number manually
@version: 3.35
@include "scl.conf".
this part solved...great
sudo systemctl status syslog-ng
● syslog-ng.service - LSB: Starting system logging daemon
Loaded: loaded (/etc/init.d/syslog-ng; generated)
Active: active (exited) since Thu 2024-06-20 15:54:25 UTC; 19h ago
Docs: man:systemd-sysv-generator(8)
CPU: 2ms
Jun 20 15:54:25 ip-172-20-10-244 systemd[1]: Starting LSB: Starting system logging daemon...
Jun 20 15:54:25 ip-172-20-10-244 systemd[1]: Started LSB: Starting system logging daemon.
Ossec.conf
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>xxx.xxx.xxx.xxx</allowed-ips> #SentinelOne IP
</remote>
syslog-ng.conf
#TLS Config
source s_network_tls {
network(
transport("tls")
port(514) # Specify the port to listen on for TLS connections
tls(
key-file("/etc/syslog-ng/key.pem")
cert-file("/etc/syslog-ng/server-cert.pem")
peer-verify(optional-untrusted)
)
);
};
destination d_tls_logs {
file("/var/log/sentinelone.log"); # Path to save the logs received over TLS
};
log { source(s_network_tls); destination(d_tls_logs); };
Can anyone help me or provide steps to follow, please??
A week ago I have started working with Wazuh, and it looks like a great tool . My first task has been to integrate sentinelone logs but I have encountered several issues.
I followed the following link
Packages in the syslog-ng installation --> I had to uninstall and reinstall syslog-ng packages syslog-ng-core syslog-ng-mod-* and then change the version number manually
@version: 3.35
@include "scl.conf".
this part solved...great
sudo systemctl status syslog-ng
● syslog-ng.service - LSB: Starting system logging daemon
Loaded: loaded (/etc/init.d/syslog-ng; generated)
Active: active (exited) since Thu 2024-06-20 15:54:25 UTC; 19h ago
Docs: man:systemd-sysv-generator(8)
CPU: 2ms
Jun 20 15:54:25 ip-172-20-10-244 systemd[1]: Starting LSB: Starting system logging daemon...
Jun 20 15:54:25 ip-172-20-10-244 systemd[1]: Started LSB: Starting system logging daemon.
In the integration part of Sentinel One for TLS, the connection is shown as rejected (attached image)
But in logs I do not see any problem
- INFO: Remote syslog allowed from: 'xxx.xxx.xxx.xxx':
- INFO: Started (pid: 522823). Listening on port 514/TCP (syslog).
Ossec.conf
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>xxx.xxx.xxx.xxx</allowed-ips> #SentinelOne IP
</remote>
syslog-ng.conf
#TLS Config
source s_network_tls {
network(
transport("tls")
port(514) # Specify the port to listen on for TLS connections
tls(
key-file("/etc/syslog-ng/key.pem")
cert-file("/etc/syslog-ng/server-cert.pem")
peer-verify(optional-untrusted)
)
);
};
destination d_tls_logs {
file("/var/log/sentinelone.log"); # Path to save the logs received over TLS
};
log { source(s_network_tls); destination(d_tls_logs); };
The protocol indicated is done, and port 514 TCP is open
netstat -tuln | grep :514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
Best regards
Leonardo Daniel Sancho
Jun 24, 2024, 9:36:25 PM6/24/24
to Wazuh | Mailing List
Hello
christineIT, can you ensure that the syslog information is being correctly sent from SentinelOne? One way to check this would be to enable archives. The Wazuh archives refer to the storage files created by the Wazuh server that contain logs, alerts, and other security-related data collected from monitored endpoints. Wazuh archives store all events received by the Wazuh server, whether or not they trip a rule. Wazuh archives are useful for threat hunting, as security teams use archived logs to review historical data of security incidents, analyze trends, and generate reports.
By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. When enabled, Wazuh archives allow organizations to store and retain security data for compliance and forensic purposes. You can read more about it here: Wazuh archives - Wazuh server · Wazuh documentation
By default, Wazuh archives are disabled because they store a large number of logs on the Wazuh server. When enabled, Wazuh archives allow organizations to store and retain security data for compliance and forensic purposes. You can read more about it here: Wazuh archives - Wazuh server · Wazuh documentation
It is highly recommended that you only enable archives for testing purposes and then disable it afterwards, otherwise it may cause your storage to be completely filled up. If you see no logs coming in through the use of archives, you may have to diagnose a connectivity issue or syslog issues between your manager and SentinelOne.
Additionally to this, the recommended approach when ingesting syslog would be using a Wazuh agent as a log collector, you may read more about said procedure here:
Forward syslog events - Your environment · Wazuh documentation
Should issues still persist let us know.
I'll be waiting for your answer.
christineIT
Jun 25, 2024, 10:22:54 AM6/25/24
to Wazuh | Mailing List
Hi Leonardo,
I show the configuration of the localfile in ossec.conf that I did not show in the previous email.
<localfile>
<log_format>syslog</log_format>
<location>/var/log/sentinelone.log</location>
</localfile>
/var/ossec/logs/ossec.log OUT
2024/06/25 09:43:05 wazuh-remoted: INFO: Remote syslog allowed from: 'xxx.xxx.xxx.xxx'
2024/06/25 09:43:05 wazuh-remoted: INFO: Started (pid: 600699). Listening on port 1514/TCP (secure).
2024/06/25 09:43:05 wazuh-remoted: INFO: Started (pid: 600700). Listening on port 514/TCP (syslog).
xxx.xxx.xxx.xxx --> IP related to sentinelone.net
I don't understand where the error could be.
Kind regards
thank you for your response. I will reply to you to see if we can get a solution to this issue :)
I proceeded to follow the protocol indicated in the article. Are there any other operations to be performed?
I proceeded to follow the protocol indicated in the article. Are there any other operations to be performed?
In this article Forward syslog events - Your environment · Wazuh documentation rsyslog is mentioned but in the first article is syslog-ng configured. With the use of syslog-ng, rsyslog is masked.
# systemctl status rsyslog.service
○ rsyslog.service
Loaded: masked (Reason: Unit rsyslog.service is masked.)
Active: inactive (dead) since Thu 2024-06-20 15:57:00 UTC; 4 days ago
Main PID: 489006 (code=exited, status=0/SUCCESS)
CPU: 24ms
# systemctl status rsyslog.service
○ rsyslog.service
Loaded: masked (Reason: Unit rsyslog.service is masked.)
Active: inactive (dead) since Thu 2024-06-20 15:57:00 UTC; 4 days ago
Main PID: 489006 (code=exited, status=0/SUCCESS)
CPU: 24ms
<localfile>
<log_format>syslog</log_format>
<location>/var/log/sentinelone.log</location>
</localfile>
/var/ossec/logs/ossec.log OUT
2024/06/25 09:43:05 wazuh-remoted: INFO: Remote syslog allowed from: 'xxx.xxx.xxx.xxx'
2024/06/25 09:43:05 wazuh-remoted: INFO: Started (pid: 600699). Listening on port 1514/TCP (secure).
2024/06/25 09:43:05 wazuh-remoted: INFO: Started (pid: 600700). Listening on port 514/TCP (syslog).
xxx.xxx.xxx.xxx --> IP related to sentinelone.net
I don't understand where the error could be.
Kind regards
Leonardo Daniel Sancho
Jun 25, 2024, 2:32:08 PM6/25/24
to Wazuh | Mailing List
Hello christineIT, can you show us the output of archives?
Also, the method that involves using an agent has no relation with rsyslog which might be present in the manager, this is actually a recommended method for ingesting syslog data as it leverages the secure communication channel between the manager and the agent, please let us know once you perform these actions.
Have a great day!
Leonardo Daniel Sancho
Jul 3, 2024, 8:43:44 PM7/3/24
to Wazuh | Mailing List
Hello christineIT, after reviewing your configuration and some research, that the Syslog ingestion that is inherent to the Wazuh Manager is not to be used, but instead the one that goes through syslog-ng, therefore, this configuration block bears no use, so it's recommended that you remove it from your manager's ossec.conf:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/sentinelone.log</location>
</localfile>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>xxx.xxx.xxx.xxx</allowed-ips> #SentinelOne IP
</remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>xxx.xxx.xxx.xxx</allowed-ips> #SentinelOne IP
</remote>
The only section that bears any relevance to this use case is the one that contains this line:
<localfile>
<log_format>syslog</log_format>
<location>/var/log/sentinelone.log</location>
</localfile>
Check the status of syslog-ng service, also make sure that the certificates are in the directory that was set in the syslog-ng.conf configuration file. You may also refer to the syslog-ng documentation for more information: https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition/3.38
Have a great day!
christineIT
Aug 1, 2024, 6:57:08 AM8/1/24
to Wazuh | Mailing List
Hello Leonardo,
Just to update the topic, in the end API integration was allowed and that worked great. The part by syslog is still not working but the integration is working now.
Thanks for your time
Just to update the topic, in the end API integration was allowed and that worked great. The part by syslog is still not working but the integration is working now.
Thanks for your time
Reply all
Reply to author
Forward
0 new messages