From a90680b9c15991fb926f9c36105bfccb3dde26e5 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Fri, 10 Nov 2023 11:39:14 +0200 Subject: [PATCH] OpenVPN documentation --- .../collect/integrations/network/openvpn.md | 75 +++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 76 insertions(+) create mode 100644 docs/xdr/features/collect/integrations/network/openvpn.md diff --git a/docs/xdr/features/collect/integrations/network/openvpn.md b/docs/xdr/features/collect/integrations/network/openvpn.md new file mode 100644 index 0000000000..bf895f5030 --- /dev/null +++ b/docs/xdr/features/collect/integrations/network/openvpn.md @@ -0,0 +1,75 @@ +uuid: e8ca856f-8a58-490b-bea4-247b12b3d74b +name: OpenVPN +type: intake + +## Overview + +OpenVPN is an open-source virtual private network (VPN) software, offering robust encryption, secure connectivity, flexible and reliable remote access to networks for individuals and businesses globally. + + +{!_shared_content/operations_center/detection/generated/suggested_rules_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.md!} + +{!_shared_content/operations_center/integrations/generated/e8ca856f-8a58-490b-bea4-247b12b3d74b.md!} + +## Configure + +This setup guide will show you how to forward your SonicWall logs +to Sekoia.io by means of a syslog transport channel. + +### Prerequisites + +- Have an internal log concentrator (Rsyslog) + +### Enable Syslog forwarding + +1. Open the OpenVPN server configuration file (commonly found in `/etc/openvpn/server.conf`) using your preferred text editor. + + Add or modify the following lines: + + ```bash + verb 3 # Adjust verbosity level if needed + log-append /var/log/openvpn.log # Specify the log file path + log /dev/null # Disable OpenVPN's built-in logging to file + ``` + + Here, verb 3 sets the logging verbosity level, log-append specifies the log file path where OpenVPN logs will be written, and log /dev/null ensures that OpenVPN doesn't log to its internal log file. + +2. Ensure that the syslog daemon (e.g., rsyslog or syslog-ng) is properly set up and configured on your system. + + These daemons are responsible for receiving and managing log messages from various services. + + OpenVPN will log its messages to the specified log file (/var/log/openvpn.log in the above example). + + Syslog will be responsible for picking up these messages and handling them according to its configuration. + +3. Syslog Configuration + + If you are using rsyslog, you might need to create a specific configuration file for OpenVPN to tell the syslog daemon where to send the logs. + + Create a new file, for instance, `/etc/rsyslog.d/openvpn.conf`, and add the following line: + + ```bash + :programname, isequal, "openvpn" -/var/log/openvpn_syslog.log + + ``` + + This line tells rsyslog to send any log messages from the OpenVPN program to `/var/log/openvpn_syslog.log`. + +4. Restart Services + + Restart the OpenVPN service to apply the changes to the configuration file: + + ```bash + sudo systemctl restart openvpn + sudo systemctl restart rsyslog # Use appropriate command for your syslog daemon + ``` + +5. Verify the syslog and the specified log file (e.g., /var/log/openvpn_syslog.log) to ensure that OpenVPN logs are being forwarded properly. + +### Forward logs to Sekoia.io + +Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io. + +### Create the intake + +Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `OpenVPN`. diff --git a/mkdocs.yml b/mkdocs.yml index 66c8505535..59b34b4456 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -204,6 +204,7 @@ nav: - Microsoft Always On VPN: xdr/features/collect/integrations/network/microsoft_always_on_vpn.md - NetFilter: xdr/features/collect/integrations/network/netfilter.md - OPNSense: xdr/features/collect/integrations/network/opnsense.md + - OpenVPN: xdr/features/collect/integrations/network/openvpn.md - Palo Alto Next-Generation Firewall: xdr/features/collect/integrations/network/paloalto.md - pfSense: xdr/features/collect/integrations/network/pfsense.md - Pulse / Ivanti Secure Connect: xdr/features/collect/integrations/network/pulse.md