Hi everyone,
Nice to join this community. This is my 1st post, as our SecOps platform was just provisioned a few days ago.
I defined and activated a forwarder in my LAN and set my Cisco router to send the logs to the specific collector, but I can't see anything in the SIEM.
How can I check if the forwarder is getting anything and what it's doing?
Thanks
Hi,
there could be several reasons why you're not seeing the logs in your SIEM tenant yet. Sometimes, it just takes a little time for the logs to appear. However, let's go through a few steps to narrow down the issue.
Ensure the SecOps Forwarder is running correctly. You can verify this by using Docker commands to check the status of the container:
docker ps
Make sure the forwarder container is listed and running. If not, restart the container:
docker restart <container_name_or_id>
You can look at the logs generated by the SecOps Forwarder to see if it is receiving data and forwarding it correctly. Run the following Docker command to see the logs from the forwarder:
docker logs <container_name_or_id>
Look for any error messages or indications that the forwarder is receiving logs from the Cisco router. Common issues include misconfigured network interfaces, incorrect ports, or connectivity problems.
You can use a tool like tcpdump on the host where the forwarder is running to check if the logs are arriving:
sudo tcpdump -i eth0 port 514
(Replace eth0 with the correct network interface and adjust the port as needed.)
In Google SecOps SIEM, check the search to see if any logs are arriving from the forwarder. This will help determine if the issue is with forwarding or SIEM ingestion.
Go to Search and type
metadata.log_type = "CISCO_ROUTER"
If no logs appear, try expanding the Timerange, alternatively try a Raw Log search.
If you still don't see any logs after these steps, feel free to reach out for further assistance.
Hi,
there could be several reasons why you're not seeing the logs in your SIEM tenant yet. Sometimes, it just takes a little time for the logs to appear. However, let's go through a few steps to narrow down the issue.
Ensure the SecOps Forwarder is running correctly. You can verify this by using Docker commands to check the status of the container:
docker ps
Make sure the forwarder container is listed and running. If not, restart the container:
docker restart <container_name_or_id>
You can look at the logs generated by the SecOps Forwarder to see if it is receiving data and forwarding it correctly. Run the following Docker command to see the logs from the forwarder:
docker logs <container_name_or_id>
Look for any error messages or indications that the forwarder is receiving logs from the Cisco router. Common issues include misconfigured network interfaces, incorrect ports, or connectivity problems.
You can use a tool like tcpdump on the host where the forwarder is running to check if the logs are arriving:
sudo tcpdump -i eth0 port 514
(Replace eth0 with the correct network interface and adjust the port as needed.)
In Google SecOps SIEM, check the search to see if any logs are arriving from the forwarder. This will help determine if the issue is with forwarding or SIEM ingestion.
Go to Search and type
metadata.log_type = "CISCO_ROUTER"
If no logs appear, try expanding the Timerange, alternatively try a Raw Log search.
If you still don't see any logs after these steps, feel free to reach out for further assistance.
Thanks for the detailed guide @jansch
So, I checked the logs and it seems that I didn't put the config files in the right place, so now, after removing and restarting the docker and confirming that the 2 config files are in place (both in /opt/chronicle/config and /opt/chronicle/external, the forwarder keeps restarting:
root@NUC:/opt/chronicle/external# pwd
/opt/chronicle/external
root@NUC:/opt/chronicle/external# ll
total 16
drwxr-xr-x 2 root root 4096 Oct 23 16:34 ./
drwxr-xr-x 3 root root 4096 Oct 23 16:32 ../
-rw-r--r-- 1 root root 2575 Oct 23 16:34 auth_config.conf
-rw-r--r-- 1 root root 1135 Oct 23 16:34 config.conf
This is the docker run command:
docker run -d --name secops-forwarder --restart unless-stopped --log-opt max-size=100m --log-opt max-file=10 -e TZ=Asia/Singapore -p 10.0.0.47:514:514/udp -p 10.0.0.47:515:515/udp -p 10.0.0.47:516:516/udp -v /opt/chronicle/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable
Here are the last lines in the logs of the docker:
I1023 17:00:48.429136 494 run_command.go:35] Chronicle forwarder starting
W1023 17:00:48.429339 494 cflogger.go:404] Flush() not available for remote logs.
F1023 17:00:48.429347 494 uuid_command.go:141] invalid customer ID
+ kill 494 505 485
/opt/chronicle/chronicle_bin/run_forwarder.sh: line 286: kill: (494) - No such process
root@NUC:~#
The customer ID is in the config file. What can it be now?
Thanks
Thanks for the detailed guide @jansch
So, I checked the logs and it seems that I didn't put the config files in the right place, so now, after removing and restarting the docker and confirming that the 2 config files are in place (both in /opt/chronicle/config and /opt/chronicle/external, the forwarder keeps restarting:
root@NUC:/opt/chronicle/external# pwd
/opt/chronicle/external
root@NUC:/opt/chronicle/external# ll
total 16
drwxr-xr-x 2 root root 4096 Oct 23 16:34 ./
drwxr-xr-x 3 root root 4096 Oct 23 16:32 ../
-rw-r--r-- 1 root root 2575 Oct 23 16:34 auth_config.conf
-rw-r--r-- 1 root root 1135 Oct 23 16:34 config.conf
This is the docker run command:
docker run -d --name secops-forwarder --restart unless-stopped --log-opt max-size=100m --log-opt max-file=10 -e TZ=Asia/Singapore -p 10.0.0.47:514:514/udp -p 10.0.0.47:515:515/udp -p 10.0.0.47:516:516/udp -v /opt/chronicle/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable
Here are the last lines in the logs of the docker:
I1023 17:00:48.429136 494 run_command.go:35] Chronicle forwarder starting
W1023 17:00:48.429339 494 cflogger.go:404] Flush() not available for remote logs.
F1023 17:00:48.429347 494 uuid_command.go:141] invalid customer ID
+ kill 494 505 485
/opt/chronicle/chronicle_bin/run_forwarder.sh: line 286: kill: (494) - No such process
root@NUC:~#
The customer ID is in the config file. What can it be now?
Thanks
based on your docker run command, there is no need to double copy the config files to the machine
The correct directory to place the configs is:
/opt/chronicle/configPlease remove the configs from "/opt/chronicle/external" directory and retry.
Make sure the user you've created has access (read/write) to the /opt/chronicle directory
based on your docker run command, there is no need to double copy the config files to the machine
The correct directory to place the configs is:
/opt/chronicle/configPlease remove the configs from "/opt/chronicle/external" directory and retry.
Make sure the user you've created has access (read/write) to the /opt/chronicle directory
Hi @jansch
Thank you for your continued assistance. I removed the config files from `/opt/chronicle/external` and reran the docker, but it's still restarting. These are the last lines of the docker logs:
I1024 07:00:28.389097 494 run_command.go:35] Chronicle forwarder starting
W1024 07:00:28.389300 494 cflogger.go:404] Flush() not available for remote logs.
F1024 07:00:28.389307 494 uuid_command.go:141] invalid customer ID
I1024 07:00:28.389997 505 run_command.go:35] Chronicle forwarder starting
I1024 07:00:28.390344 505 run_command.go:45] Forwarder ID is xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
W1024 07:00:28.390494 505 cflogger.go:404] Flush() not available for remote logs.
F1024 07:00:28.390500 505 run_command.go:60] invalid output.identity.secret_key: unexpected end of JSON input
+ kill 494 505 485
/opt/chronicle/chronicle_bin/run_forwarder.sh: line 286: kill: (494) - No such processAny other suggestions?
Thanks a lot
Hi JuLenny,
It could be an issue with the forwarder config.
You can download the config and auth_conf files from SecOps SIEM -> Forwarders.
Make sure both files are placed in your /opt/chronicle/config directory, and then run docker restart again.
Hi JuLenny,
It could be an issue with the forwarder config.
You can download the config and auth_conf files from SecOps SIEM -> Forwarders.
Make sure both files are placed in your /opt/chronicle/config directory, and then run docker restart again.
Hi @MartinLin , thanks for your support.
That's what I did. It didn't help
Hi JuLenny,
make sure your directory structure looks like this:
(You can ignore the forwarderid.sig file as it will be generated automatically)
Download the "config_auth.conf" and the "config.conf" files from the SIEM tenant as mentioned by @MartinLin
Next, copy these files to your SecOps instance, ensuring that all permissions are assigned to the correct user. Inside the "config.conf" file, you'll find a field called "collector_id," which refers to the Forwarder ID. This should match the Forwarder ID on the SIEM tenant (Settings --> Forwarders).
I recommend uninstalling and reinstalling the Docker container to ensure a clean setup. This will help avoid any leftover configurations.
docker stop cfps
docker rm cfps
Afterwards simply run the docker install command again.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.