Questions about syslog and ArcSight

RESOLVED FIXED

Status

Enterprise Information Security
General
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: gene, Assigned: kang)

Tracking

Details

(Reporter)

Description

4 years ago
Kang has asked me to send our syslog logs from our AWS hosted Persona instances to a central server. 

https://github.com/mozilla/identity-ops/issues/112

I believe this central server or service is ArcSight. It looks like there are no existing ArcSight connectors in AWS ( https://mana.mozilla.org/wiki/display/SECURITY/ArcSight+Inventory ).

What is the recommended destination to send syslog logs to that originate in AWS, not in one of our physical datacenters?
What requirements are there for the transport path for these logs if the answer is somewhere outside of our AWS VPC?
What should the architecture look like for this? Is this a webserver for example initiating a connection to an ArcSight connector directly and pushing logs or should there be some interim non-ArcSight centralized syslog server? (or some other layout I'm not thinking of)
How that Eric Parker has left Mozilla who is best to work with on these topics?
In the installation guide ( https://mana.mozilla.org/wiki/display/SECURITY/ArcSight+Connector+Installation+and+Config+Guide ), it says "The installer file can be found on any of the syslog servers in /opt/arcsight/installers". How do I get access to these servers and what are their names such that I can download the binary?
See https://mana.mozilla.org/wiki/display/SECURITY/Cloud+Logging+Guidelines

1) syslog-proxy1.scl3.mozilla.com:10514 (using SSL/TLS)
2) SSL/TLS is required
3) The architecture is on the URL, recommended is using a a central syslog server in aws and relay from that. This syslog server needs to have it's ip allowed to communicate with syslog-proxy1.scl3.mozilla.com at port 10514 on our FW in SCL3, that's mainly why.
4) You can work with me or michal on these topics in general
5) An arcsight connector is not required, this is for our own usage in general so far. A connector does present advantages over current syslog (it caches messages if the connection break, this feature is not working well in rsyslog/syslog-ng free edition together with SSL).

Let me know if you have other questions or if this can be considered resolved:)
Assignee: nobody → gdestuynder
considering it resolved, reopen if you need more help.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.