Rsyslog TCP with TLS support It’s possible configure SGBox to support TCP with TLS protocol to receive syslog messages. Requirements: SGBox version 5.4.1 Custom certificate must uploaded: Custom Certificate Be careful!! Making errors in the configuration can cause that service will not start correctly In this section will be described the steps: Connect to SGBox […]
Sophos Central Configuration SGBox can integrates with Sophos Central. You will need to create an API Token in Sophos Central Admin in order to allow SGBox to access to the different data using the Sophos Central APIs. Once the API Token is created, simply provide the credentials in SGBox application and schedule the app. The […]
Rsyslog TCP support It’s possible configure SGBox to support both UDP and TCP protocol to receive syslog messages. Be careful!! Making errors in the configuration can cause that service will not start correctly In this section will be described the steps: Connect to SGBox using terminal (like putty). Go to Appliance Management > Syslog > […]
Install the rsyslog-gnutls packge. In Ubuntu/Debian: apt install rsyslog-gnutls Add the following lines in the rsyslog file. In Ubuntu/Debian: /etc/rsyslog.d/50-default.conf or /etc/rsyslog.conf $DefaultNetStreamDriverCAFile /root/certs/chain_bundle.crt $DefaultNetStreamDriver gtls $ActionSendStreamDriverMode 1 # run driver in TLS-only mode $ActionSendStreamDriverAuthMode anon *.* @@sgbox192.sgbox.it:6514 Restart the rsyslog service: service rsyslog restart
SGBox custom certificate Starting from version 5.3.0 it’s possible to substitute the self-signed and upload a custom certificate. Requirements: SGBox version 5.3.0 From the web interface go to: SCM > Action > Upload custom certificate Select the Certificate, private key and the chain certificate if present. You can also specify the name of your web […]
PLAYBOOKS A playbook is used to perform a series of actions among the available ones, preserving the state and processing the result on each subsequent action. Starting from version 5.4.1, playbooks can be used in combination with list feeds and to retrieve logs from any external API. To associate a playbook with a list feed, […]
Syslog configuration on Cisco devices This article explain how to configure Cisco devices to send log to SGBox using syslog protocol. All the following command has been taken from this website: https://www.ciscopress.com/articles/article.asp?p=426638&seqNum=3 Log in to your device using a terminal link program (eg. Putty) and run the following command: Cisco Switches Console> (enable) set logging […]
Create a Dashboard Dashboards are used to display important items to the administrator as soon as you have logged in to SGBox. They can be configured differently so that each user puts information on his dashboard that is relevant to him/her. To create a new dashboard, connect to the web interface of SGBox. SGBox > […]
Configure Threat Intelligence Queries This article explain how to create a Threat Intelligence Query, that allows you to obtain simply the process of an Events Query to search a value in the list and take an action. In this way, queries can be used like LCE rules or sensors. Can be scheduled to run every minute […]
Events Queries as a Sensor In version 5.3.0 we introduce the Events Queries, the new mechanism to search events and produce alerts. (see this section).In this article we explain how to replace a sensor with an events query, in order to have more flexibility and use less SGBox resources. Requirements: SGBox version 5.3.0 Pattern must […]