You can get realtime telemetry data coming into LimaCharlie from devices that support Syslog. To do so, you'll deploy a LimaCharlie Syslog adapter on a server and then point your syslog-compatible devices to that server. Syslog events will appear as a new sensor in LimaCharlie and will be able to run through the Detection & Response engine. Follow the steps below to get this set up.
Deploy Syslog Adapter
We make the Syslog adapter available for you to run on a server either using a standalone executable, or via a Docker container.
To get started, go to Add a new sensor on the Sensors page & select Text/Syslog.
Choose or create an installation key.
Select the executable for your architecture & download the selected executable. Then, select the method you want to use to pull the data & follow the steps outlined for configuring that method.
Alternatively, you can use our Docker container that's hosted on DockerHub.
1. Obtain the container from DockerHub using the command:
docker run refractionpoint/lc-adapter
2. Obtain your organization ID (OID) and installation key from within the LimaCharlie web application. You'll use these two pieces of information in the command below.
You can obtain the Organization ID (OID) value from the REST API section.
You can obtain an installation key from the Install Sensors section. Copy the the "Adapter Key" for the installation key that you wish to use.
3. Launch the adapter using the following command (being sure to replace the installation key and OID with the values you obtained in the prior step):
Using standalone installer:
./adapter syslog port=4444 client_options.identity.installation_key=12345-abcd-6789-efgh-i0j1k1l2m3n4o5p6q7r8 client_options.identity.oid=01234ae9-3xam-p130-0rg1-2a3b4c5d6e7f client_options.platform=text client_options.sensor_seed_key=MySeedKey "client_options.hostname=MySyslog"
Using Docker:
docker run --rm -it -p 4444:4444 refractionpoint/lc-adapter syslog port=4444 client_options.identity.installation_key=12345-abcd-6789-efgh-i0j1k1l2m3n4o5p6q7r8 client_options.identity.oid=01234ae9-3xam-p130-0rg1-2a3b4c5d6e7f client_options.platform=text client_options.sensor_seed_key=MySeedKey "client_options.hostname=MySyslog"
Note: A full list of the options available for the adapter can be found within our adapter documentation
Send a test event
You can use a tool such as netcat to send a test event to the Syslog adapter to confirm that it's working as expected. Open a new terminal window and then run through these steps.
4. Run netcat using the command:
nc 127.0.0.1 4444
5. Type a line of text to send through to syslog, such as:
This is a test line
6. Press the Return key to send the event through
Verify test event
7. You should now see a new connection, as confirmed by the text: `handling new connection from `
8. In the LimaCharlie web app navigate to the Sensors section. You should see a new sensor appear with the name you'd specified previously (MySyslog)
9. Click on the sensor and view the Timeline. You should see the event you'd sent.
Point your devices to the Syslog server
10. You may now point your devices to the Syslog server using the port you specified previously (4444).
Next Steps
Now that you've got data flowing into LimaCharlie you can utilize the Detection & Response engine to detect anomalous behaviour and take action like sending notifications and performing automation actions.