From a90680b9c15991fb926f9c36105bfccb3dde26e5 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Fri, 10 Nov 2023 11:39:14 +0200 Subject: [PATCH 1/5] OpenVPN documentation --- .../collect/integrations/network/openvpn.md | 75 +++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 76 insertions(+) create mode 100644 docs/xdr/features/collect/integrations/network/openvpn.md diff --git a/docs/xdr/features/collect/integrations/network/openvpn.md b/docs/xdr/features/collect/integrations/network/openvpn.md new file mode 100644 index 0000000000..bf895f5030 --- /dev/null +++ b/docs/xdr/features/collect/integrations/network/openvpn.md @@ -0,0 +1,75 @@ +uuid: e8ca856f-8a58-490b-bea4-247b12b3d74b +name: OpenVPN +type: intake + +## Overview + +OpenVPN is an open-source virtual private network (VPN) software, offering robust encryption, secure connectivity, flexible and reliable remote access to networks for individuals and businesses globally. + + +{!_shared_content/operations_center/detection/generated/suggested_rules_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md!} + +## Configure + +This setup guide will show you how to forward your SonicWall logs +to Sekoia.io by means of a syslog transport channel. + +### Prerequisites + +- Have an internal log concentrator (Rsyslog) + +### Enable Syslog forwarding + +1. Open the OpenVPN server configuration file (commonly found in `/etc/openvpn/server.conf`) using your preferred text editor. + + Add or modify the following lines: + + ```bash + verb 3 # Adjust verbosity level if needed + log-append /var/log/openvpn.log # Specify the log file path + log /dev/null # Disable OpenVPN's built-in logging to file + ``` + + Here, verb 3 sets the logging verbosity level, log-append specifies the log file path where OpenVPN logs will be written, and log /dev/null ensures that OpenVPN doesn't log to its internal log file. + +2. Ensure that the syslog daemon (e.g., rsyslog or syslog-ng) is properly set up and configured on your system. + + These daemons are responsible for receiving and managing log messages from various services. + + OpenVPN will log its messages to the specified log file (/var/log/openvpn.log in the above example). + + Syslog will be responsible for picking up these messages and handling them according to its configuration. + +3. Syslog Configuration + + If you are using rsyslog, you might need to create a specific configuration file for OpenVPN to tell the syslog daemon where to send the logs. + + Create a new file, for instance, `/etc/rsyslog.d/openvpn.conf`, and add the following line: + + ```bash + :programname, isequal, "openvpn" -/var/log/openvpn_syslog.log + + ``` + + This line tells rsyslog to send any log messages from the OpenVPN program to `/var/log/openvpn_syslog.log`. + +4. Restart Services + + Restart the OpenVPN service to apply the changes to the configuration file: + + ```bash + sudo systemctl restart openvpn + sudo systemctl restart rsyslog # Use appropriate command for your syslog daemon + ``` + +5. Verify the syslog and the specified log file (e.g., /var/log/openvpn_syslog.log) to ensure that OpenVPN logs are being forwarded properly. + +### Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + +### Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `OpenVPN`. diff --git a/mkdocs.yml b/mkdocs.yml index 66c8505535..59b34b4456 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -204,6 +204,7 @@ nav: - Microsoft Always On VPN: xdr/features/collect/integrations/network/microsoft_always_on_vpn.md - NetFilter: xdr/features/collect/integrations/network/netfilter.md - OPNSense: xdr/features/collect/integrations/network/opnsense.md + - OpenVPN: xdr/features/collect/integrations/network/openvpn.md - Palo Alto Next-Generation Firewall: xdr/features/collect/integrations/network/paloalto.md - pfSense: xdr/features/collect/integrations/network/pfsense.md - Pulse / Ivanti Secure Connect: xdr/features/collect/integrations/network/pulse.md From 7236c679689fe38e1a2afaab6d15438374cd3246 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Quioc?= Date: Wed, 15 Nov 2023 10:10:12 +0100 Subject: [PATCH 2/5] Apply suggestion --- docs/xdr/features/collect/integrations/network/openvpn.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/xdr/features/collect/integrations/network/openvpn.md b/docs/xdr/features/collect/integrations/network/openvpn.md index bf895f5030..e61da10368 100644 --- a/docs/xdr/features/collect/integrations/network/openvpn.md +++ b/docs/xdr/features/collect/integrations/network/openvpn.md @@ -13,7 +13,7 @@ OpenVPN is an open-source virtual private network (VPN) software, offering robus ## Configure -This setup guide will show you how to forward your SonicWall logs +This setup guide will show you how to forward your OpenVPN logs to Sekoia.io by means of a syslog transport channel. ### Prerequisites From ac826d002884f44d0548b0daf4b8081f17468fa8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Quioc?= Date: Wed, 15 Nov 2023 10:18:57 +0100 Subject: [PATCH 3/5] Apply suggestion --- docs/xdr/features/collect/integrations/network/openvpn.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/xdr/features/collect/integrations/network/openvpn.md b/docs/xdr/features/collect/integrations/network/openvpn.md index e61da10368..a8dc666b3f 100644 --- a/docs/xdr/features/collect/integrations/network/openvpn.md +++ b/docs/xdr/features/collect/integrations/network/openvpn.md @@ -6,6 +6,8 @@ type: intake OpenVPN is an open-source virtual private network (VPN) software, offering robust encryption, secure connectivity, flexible and reliable remote access to networks for individuals and businesses globally. +!!! warning + Important note - This format is currently in beta. We highly value your feedback to improve its performance. {!_shared_content/operations_center/detection/generated/suggested_rules_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.md!} From aa9d6304414a6179a50d8ffbf6567c8e89692b20 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 15 Nov 2023 10:36:44 +0100 Subject: [PATCH 4/5] fix(OpenVPN): move to the application category --- .../collect/integrations/{network => application}/openvpn.md | 0 mkdocs.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/xdr/features/collect/integrations/{network => application}/openvpn.md (100%) diff --git a/docs/xdr/features/collect/integrations/network/openvpn.md b/docs/xdr/features/collect/integrations/application/openvpn.md similarity index 100% rename from docs/xdr/features/collect/integrations/network/openvpn.md rename to docs/xdr/features/collect/integrations/application/openvpn.md diff --git a/mkdocs.yml b/mkdocs.yml index 59b34b4456..6d980a24fe 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -83,6 +83,7 @@ nav: - Nginx: xdr/features/collect/integrations/application/nginx.md - OpenLDAP: xdr/features/collect/integrations/application/openldap.md - OpenSSH: xdr/features/collect/integrations/application/openssh.md + - OpenVPN: xdr/features/collect/integrations/application/openvpn.md - RSA SecurID: xdr/features/collect/integrations/application/rsa_securid.md - SEKOIA.IO activity logs: xdr/features/collect/integrations/application/sekoiaio_activity_logs.md - Unbound: xdr/features/collect/integrations/application/unbound.md @@ -204,7 +205,6 @@ nav: - Microsoft Always On VPN: xdr/features/collect/integrations/network/microsoft_always_on_vpn.md - NetFilter: xdr/features/collect/integrations/network/netfilter.md - OPNSense: xdr/features/collect/integrations/network/opnsense.md - - OpenVPN: xdr/features/collect/integrations/network/openvpn.md - Palo Alto Next-Generation Firewall: xdr/features/collect/integrations/network/paloalto.md - pfSense: xdr/features/collect/integrations/network/pfsense.md - Pulse / Ivanti Secure Connect: xdr/features/collect/integrations/network/pulse.md From f1845f090f704b1607df49cb9b5def21beef27f8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 15 Nov 2023 11:04:19 +0100 Subject: [PATCH 5/5] fix(OpenVPN): improve the layout of the documentation and fix instructions about the configuration of the rsyslog forwarding --- .../collect/integrations/application/openvpn.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/docs/xdr/features/collect/integrations/application/openvpn.md b/docs/xdr/features/collect/integrations/application/openvpn.md index a8dc666b3f..3bcbe441a0 100644 --- a/docs/xdr/features/collect/integrations/application/openvpn.md +++ b/docs/xdr/features/collect/integrations/application/openvpn.md @@ -15,8 +15,7 @@ OpenVPN is an open-source virtual private network (VPN) software, offering robus ## Configure -This setup guide will show you how to forward your OpenVPN logs -to Sekoia.io by means of a syslog transport channel. +This setup guide will show you how to forward your OpenVPN logs to Sekoia.io by means of a syslog transport channel. ### Prerequisites @@ -34,28 +33,28 @@ to Sekoia.io by means of a syslog transport channel. log /dev/null # Disable OpenVPN's built-in logging to file ``` - Here, verb 3 sets the logging verbosity level, log-append specifies the log file path where OpenVPN logs will be written, and log /dev/null ensures that OpenVPN doesn't log to its internal log file. + Here, `verb 3` sets the logging verbosity level, `log-append` specifies the log file path where OpenVPN logs will be written, and `log /dev/null` ensures that OpenVPN doesn't log to its internal log file. 2. Ensure that the syslog daemon (e.g., rsyslog or syslog-ng) is properly set up and configured on your system. These daemons are responsible for receiving and managing log messages from various services. - OpenVPN will log its messages to the specified log file (/var/log/openvpn.log in the above example). + OpenVPN will log its messages to the specified log file (`/var/log/openvpn.log` in the above example). Syslog will be responsible for picking up these messages and handling them according to its configuration. 3. Syslog Configuration + Configure the syslog server to send the event to our log concentrator. + If you are using rsyslog, you might need to create a specific configuration file for OpenVPN to tell the syslog daemon where to send the logs. Create a new file, for instance, `/etc/rsyslog.d/openvpn.conf`, and add the following line: ```bash - :programname, isequal, "openvpn" -/var/log/openvpn_syslog.log + :programname, isequal, "openvpn" @ ``` - - This line tells rsyslog to send any log messages from the OpenVPN program to `/var/log/openvpn_syslog.log`. 4. Restart Services @@ -65,8 +64,6 @@ to Sekoia.io by means of a syslog transport channel. sudo systemctl restart openvpn sudo systemctl restart rsyslog # Use appropriate command for your syslog daemon ``` - -5. Verify the syslog and the specified log file (e.g., /var/log/openvpn_syslog.log) to ensure that OpenVPN logs are being forwarded properly. ### Forward logs to Sekoia.io