WebGUI - Menu "Services / Listener settings"

From this view you can edit the settings of a specific frontend listener.

Multiple modes are available when creating a listener :

  • TCP : Create a TCP HAProxy frontend
  • HTTP : Create an HTTP HAProxy frontend
  • LOG(Rsyslog) : Create a TCP (Haproxy->Rsyslog) or a UDP (Rsyslog) or a Vendor Cloud API frontend LOG Listener
  • LOG(Filebeat) : Create a TCP (Haproxy->Filebeat) or a UDP (Filebeat) LOG Listener

Depending on which mode you chose, configuration settings differ.

Global parameters

Some of the following configuration parameters are not used in some specific cases, mentionned for each of them.

Enable listener : You can enable or disable your listener.

Friendly Name : Here you can specify a friendly name for your listener. You cannot have multiple listeners with the same name.

Enable logging : This parameter is implicitly enabled in LOG mode.

You can enable or disable events forwarding. Mandatory if you want to select a Logs Forwarder.

Rsyslog Listening mode : Here you chose a listening mode for your input :

  • UDP (listen logs with the Rsyslog imudp module)
  • TCP (listen logs with the Rsyslog imtcp module)
  • TCP & UDP (listen logs with Rsyslog imudp and imtcp module)
  • RELP (listen logs with Rsyslog imrelp module)
  • FILE (listen logs with Rsyslog imfile module)
  • Vendor Specific API (retrieve logs from external API events collect)
  • KAFKA (collect logs from a kafka server, with Rsyslog imkafka module)
  • REDIS (collect logs from a redis server, with Rsyslog imhiredis module)

Depending on which listening mode you chose, configuration settings differs. See below for the specific configuration settings

Input logs type : Here you can select the format of input logs, for example :

  • generic_json (json formatted logs)
  • raw_to_json (no specific format, but convert logs to json)

Parser tag: #Fixme

Tags: #Fixme

Darwin policies: #Fixme

Disable Octet Counting Framing : Here you specify the Rsyslog imtcp option "SupportOctetCountedFraming", this is an advanced option, enable the option only if you know what you are doing.

rate-limiting interval: #Fixme

rate-limiting burst: #Fixme

Listeners

Listeners are not shown in LOG mode with listening mode Kafka, Redis or File. Indeed, there is no need to accept incoming trafic. Instead, Vulture will initiate a connection to the remote Databroker or read a local File to retrieve logs.

Here you can configure the listening, by configuring for each row the following parameters :

  • Listen address : Select the IP address you want to listen on
  • Port : Configure the port you want to listen on
  • TLS Profile : Not supported for now in LOG mode, here you can select a TLS Profile
  • Allow from : "Any" by default, configure a comma separated list of allowed IP addresses to connect from
  • Max src : Configure a max number of source IP addresses allowed to connect
  • Max rate : Configure a max rate

Timeout connect : Configure the allowed connect timeout (in ms) after which HAProxy will end new connection.

Timeout client : Set the maximum inactivity time on the client side.

Logs Enrichment

Tenants config : This parameter is useless if you select a mode different of LOG or if you disable logging.

Here you can select a Multi-tenants configuration, that will be used to enrich logs and select enrichment databases.

Enable reputation logging : This parameter is useless if you select a mode different of LOG or if you disable logging.

Here you can enable or disable logs enrichment with Rsyslog, by configuring parameters below.

Reputation database IPv4 : This parameter is useless if you select a mode different of LOG or if you disable logging.

Here you can select an IPv4 MMDB database to enrich logs with source and destination IPv4 addresses informations (ex: reputation).

Reputation database IPv6 : This parameter is useless if you select a mode different of LOG or if you disable logging.

Here you can select an IPv6 MMDB database to enrich logs with source and destination IPv6 addresses informations (ex: reputation).

GeoIP database (IPv4) : This parameter is useless if you select a mode different of LOG or if you disable logging.

Here you can select an GeoIP MMDB database to enrich logs with public source and destination IP addresses localization.

Reputation contexts : This parameter is useless if you select a mode different of LOG or if you disable logging.

Here you can configure more specificly the enrichment of logs by selecting and configuring 4 fields by row :

  • Enabled : Enable of disable the row
  • IOC database : Select the reputation context to use
  • Input field name : Configure the field name to send to database
  • Destination field name : Configure the field name you want to stock the result into

Logs Forwarder

This section is useless if you select a mode different of LOG or if you disable logging. You can here select Log forwarder(s). If events are correctly parsed, depending on which ruleset is configured, they will be sent to this remote log forwarder.

See Logs Forwarder to define remote log repositories.

Log condition (advanced) : This parameter is useless if you select a mode different of LOG or if you disable logging.

You can here configure an Rsyslog custom configuration bloc. Only use this parameter if you know what your doing. Using this interface you can rename parsed JSON field or add rsyslog's rainer script conditions on the log pipeline.

Custom configuration

Via this tab, you may declare custom HAProxy directives. These directives will be placed within the [Frontend] section of HAProxy configuration file related to the current Listener.

Specific settings for Rsyslog Listening Modes

FILE listening mode specific parameters

Node : Configure the node on which you want to listen on file (or kafka or redis).

File path : Specify the absolute path of the file to listen on.

Tags : Specify one or multiple comma separated tag(s) to associate on your listener.

KAFKA listening mode specific parameters

Kafka Brokers : Configure comma separated list of Kafka broker(s) to poll logs from.

Kafka topic : Configure kafka topic to poll logs from.

Kafka consumer group : Optional, configure the kafka consumer group to use to poll logs from.

REDIS listening mode specific parameters

This listener relies on rsyslog / imhiredis, and has two modes of operation :

Queue Mode, using push/pop : The queue mode will LPOP or RPOP your message from a redis list.

Following parameters are required :

  • Redis consumer mode : Set mode to "queue" to enable the queue mode
  • Redis key : The key to xPOP on
  • Redis server : The name or IP address of the redis server (Vulture's Internal redis is 127.0.0.3)
  • Redis port : The redis listening port (default is 6379)

Following parameters are optional :

  • Redis password : If set, the plugin will issue an "AUTH" command before calling xPOP
  • Use LPOP : If set to "on", LPOP will be used instead of default RPOP

Redis pipelining is used inside the workerthread, with a hardcoded batch size of #10.

Imhiredis will query Redis every second to see if entries are in the list, if that's the case they will be dequeued continuously by batches of 10 until none remains.

Due to its balance between polling interval and pipelining and its use of lists, this mode is quite performant and reliable. However, due to the 1 second polling frequency, one may consider using the subscribe mode instead if very low latency is required.

Chanel Mode, using pub/sub : The channel mode will SUBSCRIBE to a redis channel.

The "key" parameter is required and will be used for the subscribe channel.

Following parameters are required :

  • Redis consumer mode : Set mode to "subscribe" to enable the subscribe mode
  • Redis key : The key to subscribe to (aka the "channel")
  • Redis server : The name or IP address of the redis server
  • Redis port : The redis listening port

Following parameters are optional :

  • password : If set, the plugin will issue an "AUTH" command before listening to a channel
  • uselpop : Useless in channel mode

Vendor Log API listening mode specific parameters

API Parser Type : Here you can chose the technology of events you want to retrieve api events from.

The following endpoints are supported :

  • FORCEPOINT
  • AWS BUCKET
  • SYMANTEC
  • AKAMAI
  • OFFICE 365
  • IMPERVA
  • REACHFIVE
  • MONGODB
  • DEFENDER ATP
  • CORTEX XDR
  • CYBEREASON
  • CISCO MERAKI
  • PROOFPOINT TAP
  • SENTINEL ONE
  • CARBON BLACK
  • NETSKOPE
  • RAPID7 IDR
  • HARFANGLAB
  • VADESECURE
  • DEFENDER
  • CROWDSTRIKE
  • VADESECURE O365
  • NOZOMI PROBE
  • BLACKBERRY CYLANCE
  • MS SENTINEL
  • PROOFPOINT POD
  • WAF CLOUDFLARE
  • GSUITE ALERTCENTER
  • SOPHOS CLOUD
  • TRENDMICRO WORRYFREE
  • SAFENET
  • PROOFPOINT CASB
  • PROOFPOINT TRAP
  • WAF CLOUD PROTECTOR
  • TRENDMICRO VISIONONE
  • CISCO DUO
  • SENTINEL ONE MOBILE
  • CSC_DOMAINMANAGER
  • RETARUS
  • VECTRA

Use proxy : Use proxy for requests (will use System Proxy if no Custom Proxy is configured)

Custom Proxy : Url of the proxy used by the API collector (system proxy if not set)

Verify certificate : Enable the verification of the certificates used by the API endpoint

Custom certificate : Provide a custom certificate previously added in the X509 Certificates menu

Vendor Log API Forcepoint specific parameters

Forcepoint host : Beginning url of the forcepoint endpoint to retrieve events from. Logs will be collected from {forcepoint_host}/siem/logs.

Forcepoint username : Username to use to authenticate to Forcepoint API.

Forcepoint password : Password to use to authenticate to Forcepoint API.

Vendor Log API AWS bucket specific parameters

AWS Access Key Id : Key ID to use to authenticate on AWS API endpoint.

AWS Secret Access Key : Secret key to use to authenticate on AWS API endpoint.

AWS Bucket Name : Bucket name to retrieve events from.

Vendor Log API Symantec specific parameters

Symantec username : Username to use to authenticate on Symantec API endpoint.

Symantec password : Password to use to authenticate on Symantec API endpoint.

Vendor Log API Akamai specific parameters

Akamai Host : Akamai domaine name to collect events from.

Akamai Client Secret : Client Secret to use to authenticate on Akamai API endpoint.

Akamai Access Token : Access Token to use to authenticate on Akamai API endpoint.

Akamai Client Token : Client Token to use to authenticate on Akamai API endpoint.

Akamai Config ID : Config ID to use to retrieve events from Akamai API endpoint.

Vendor Log API Office365 specific parameters

Office365 Tenant ID : Tenant to use to collect events from Office365 API endpoint.

Office365 Client ID : Client ID to use to authenticate on Akamai API endpoint.

Office365 Client Secret : Client secret to use to authenticate on Akamai API endpoint.

Vendor Log API Imperva specific parameters

Imperva Base Url : Base URL to use to collect events from. It should ends with a /.

Imperva Api ID : App ID to use to authenticate on Imperva API endpoint.

Imperva Api Key : Api secret to use to authenticate on Imperva API endpoint.

Imperva Private Key : Private Key to use to decrypt collected events from Imperva API endpoint.

Vendor Log API ReachFive specific parameters

ReachFive Host : Host name to use to retrieve events from. Ex: reachfive.domain.com.

ReachFive Client ID : Client ID to use to authenticate on ReachFive API endpoint.

ReachFive Client Secret : Client Secret to use to authenticate on ReachFive API endpoint.

Vendor Log API MongoDB (Atlas) specific parameters

Mongodb API User : User to use to authenticate on MongoDB API endpoint.

MongoDB API Password : Password to use to authenticate on MongoDB API endpoint.

MongoDB API Group ID : Group ID to use to retrieve events from MongoDB API endpoint.

Vendor Log API Defender ATP specific parameters

MDATP API Tenant : Tenant ID to use to retrieve events from Defender ATP API endpoint.

MDATP API App ID : App ID to use to authenticate on Defender ATP API endpoint.

MDATP API Secret : Secret to use to authenticate on Defender ATP API endpoint.

Vendor Log API Cortex XDR specific parameters

Cortex XDR Host : Host name to use to retrieve events from API endpoint.

This parameter will be used as : https://api-{cortex_xdr_host}/public_api/v1/

Cortex XDR API Key ID : API Key ID to use to authenticate on API endpoint.

Cortex XDR API Key : API Key to use to authenticate on API endpoint.

Vendor Log API Cybereason specific parameters

Cybereason Host : Base URL (with scheme) to use to retrieve events from Cybereason API endpoint.

Cybereason Username : Username to use to authenticate on Cybereason API endpoint.

Cybereason Password : Password to use to authenticate on Cybereason API endpoint.

Vendor Log API Cisco Meraki specific parameters

Cisco Meraki API Key : API Key to use to authenticate on Cisco Meraki API endpoint.

Vendor Log API Proofpoint TAP specific parameters

Proofpoint TAP Host : Base URL to use to retrieve events from Proofpoint TAP API endpoint.

Ex: https://tap-api-v2.proofpoint.com

Proofpoint TAP Endpoint : Kind of events to retrieve from Proofpoint TAP endpoint :

  • all (/all)
  • clicks/blocked (/clicks/blocked)
  • clicks/permitted (/clicks/permitted)
  • messages/blocked (/messages/blocked)
  • messages/delivered (/messages/delivered)
  • issues (/issues)

Proofpoint TAP Principal : Principal (username) to use to authenticate on Proofpoint API endpoint.

Proofpoint TAP Secret : Secret (password) to use to authenticate on Proofpoint API endpoint.

Vendor Log API SentinelOne specific parameters

SentinelOne Host : Hostname (without scheme or path) of the SentinelOne server.

Sentinel One API key : API key used to retrieve logs - as configured in SentinelOne settings.

Sentinel One Account type : Type of account : console or user service.

Vendor Log API CarbonBlack specific parameters

CarbonBlack Host : Hostname (without scheme or path) of the CarbonBlack server.

CarbonBlack organisation name : Organisation name.

CarbonBlack API key : API key used to retrieve logs.

Vendor Log API Netskope specific parameters

Netskope Host : Hostname (without scheme or path) of the Netskope server.

Netskope API token used to retrieve events : Netskope API token.

Vendor Log API Rapid7 IDR specific parameters

rapid7 IDR Host : Hostname (without scheme or path) of the Rapid7 server.

Rapid7 IDR API key : API key used to retrieve logs.

Vendor Log API HarfangLab specific parameters

HarfangLab Host : Hostname (without scheme or path) of the HarfangLab server.

HarfangLab API key : API key to use to contact HarfangLab api.

Vendor Log API Vadesecure specific parameters

Vadesecure Host : Hostname (without scheme or path) of the Vadesecure server.

Vadesecure login : Login used to fetch the token for the Vadesecure API.

Vadesecure password : Password used to fetch the token for the Vadesecure API.

Vendor Log API Defender specific parameters

Defender token endpoint : Complete enpoint address to get an Oauth token before requesting Microsoft's APIs.

Defender OAuth client id : Client id of the OAuth endpoint to get an OAuth token before requesting Microsoft's APIs.

Defender OAuth client secret : Client secret of the OAuth endpoint to get an OAuth token before requesting Microsoft's APIs.

Vendor Log API CrowdStrike specific parameters

CrowdStrike Host : Complete enpoint address.

CrowdStrike Username : User's name.

CrowdStrike Client ID : Client ID used for authentication.

CrowdStrike Client's Secret : Client's secret used for authentication.

Vendor Log API Vadesecure 0365 specific parameters

Vadesecure O365 Host : FQDN of the API endpoint.

Vadesecure O365 tenant : Tenant.

Vadesecure O365 Client ID : Client ID used for authentication.

Vadesecure O365 Client's Secret : Client's secret used for authentication.

Vendor Log API Nozomi Probe specific parameters

Nozomi Probe Host : Hostname (without scheme or path) of the Nozomi Probe.

Nozomi Probe User : User to use to contact Nozomi probe api.

Nozomi Probe Password : Password to use to contact Nozomi probe api.

Vendor Log API Blackberry Cylance specific parameters

Blackberry Cylance Host : FQDN of the API endpoint.

Blackberry Cylance tenant : Tenant.

Blackberry Cylance Application ID : Client ID used for authentication.

Blackberry Cylance Application's Secret : Client's secret used for authentication.

Vendor Log API Microsoft Sentinel specific parameters

Microsoft Sentinel Tenant ID : Your Microsoft Tenant ID.

Microsoft Sentinel App ID : Microsoft Sentinel Client ID.

Microsoft Sentinel App Secret : Application Secret.

Microsoft Sentinel Subscription ID : Subscription ID.

Microsoft Sentinel Resource Group : Resource Group name.

Microsoft Sentinel Workspace : Workspace name.

Vendor Log API Proofpoint PoD specific parameters

Proofpoint PoD URI : Server URI.

Proofpoint PoD Cluster ID : Cluster ID.

Proofpoint PoD Authentication token : Authentication token.

Vendor Log API WAF Cloudflare specific parameters

WAF Cloudflare API token : WAF Cloudflare API token.

WAF Cloudflare zone ID : WAF Cloudflare zone ID.

Vendor Log API Google worspace alertcenter specific parameters

Google Alertcenter JSON Conf : Your JSON Conf from Google.

Google Alertcenter Admin email for delegated wrights : Google Alertcenter Admin email.

Vendor Log API Sophos Cloud specific parameters

Sophos Cloud - Client ID : Client ID.

Sophos Cloud - Client Secret : Client Secret.

Sophos Cloud - Tenant ID : Tenant ID.

Vendor Log API Trendmicro_worryfree specific parameters

Trendmicro Worryfree access token : Trendmicro Worryfree access token.

Trendmicro Worryfree secret key : Trendmicro Worryfree secret key.

Trendmicro Worryfree server name : Trendmicro Worryfree server name.

Trendmicro Worryfree server port : Trendmicro Worryfree server port.

Vendor Log API Safenet specific parameters

Safenet Tenant Code : Your Safenet Tenant Code.

Safenet API Key : Safenet Token API.

Vendor Log API Proofpoint CASB specific parameters

Proofpoint CASB API KEY : Proofpoint CASB API KEY.

Proofpoint CASB Client ID : Proofpoint CASB Client ID.

Proofpoint CASB Client Secret : Proofpoint CASB Client Secret.

Vendor Log API Proofpoint TRAP specific parameters

ProofPoint TRAP host : ProofPoint API root url.

ProofPoint TRAP API key : ProofPoint TRAP API key.

Vendor Log API WAF Cloud Protector specific parameters

WAF CloudProtector host : Hostname (without scheme or path) of the CloudProtector server.

WAF CloudProtector public key : base64 encodid public key to contact CloudProtector API.

WAF CloudProtector private key : base64 encodid private key to contact CloudProtector API.

WAF Cloud Protector provider : Provider used to retrieve event from.

WAF Cloud Protector tenant : Tenant used to retrieve event from.

WAF Cloud Protector servers : Servers to for wich to retrieve traffic and alert events.

Vendor Log API Trendmicro visionone specific parameters

Trendmicro visionone token : Trendmicro visionone token.

Vendor Log API Cisco Duo specific parameters

Cisco Duo API hostname : Cisco Duo API hostname.

Cisco Duo API ikey : Cisco Duo API integration key.

Cisco Duo API skey : Cisco Duo API secret key.

Vendor Log API Sentinel One Mobile specific parameters

Sentinel One Mobile API hostname : Sentinel One Mobile API hostname.

Sentinel One Mobile API ikey : Sentinel One Mobile API integration key.

Vendor Log API CSC DomainManager specific parameters

CSC DomainManager API Key : CSC DomainManager API Key.

CSC DomainManager Authorization : CSC DomainManager Authorization HTTP Header token prefixed by Bearer, ex: Bearer xxxx-xxxx-xxxx-xxxx.

Vendor Log API Retarus specific parameters

Retarus token : Retarus token.

Retarus channel : Retarus channel.

Vendor Log API Vectra specific parameters

Vectra url : Vectra url with scheme.

Vectra secret key : Vectra secret key.

Vectra client id : Vectra client id.

Specific settings for Filebeat Listening Mode

Filebeat Module

Fixme

Filebeat Configuration

Fixme