GitHub: Zabbix template for monitoring data collection tasks in MaxPatrol SIEM

Today, SIEM is the main assistant in the analysis of information security events: it is difficult to imagine how long it would take to manually view the logs from many sources. At the same time, stopping the collection of data from the source is a fairly common SIEM problem. And it is far from always possible to solve it by built-in means - but after all, the loss of events at the wrong time can be tantamount to disaster. So that valuable information does not disappear, we implemented an external solution for monitoring the operation of MaxPatrol SIEM: we developed a template for the Zabbix monitoring system and a python script that we are ready to share with you. Details and link to github under the cat.

Theoretically, this problem can be solved without additional add-ons. For example, by creating SIEM tools correlation rules that track problems with data collection or with the arrival of events. In the first case, it will be necessary to collect the logs of each collector, increasing the flow of events, which is not always acceptable for licensing reasons and requires normalization for each type of collector.

In the second, it is proposed to develop correlation rules that respond to the absence of events from a specific source. But even if we omit the problems of forming the logic of separating events by sources (depending on their type and type of data collection), there remains a need to run through the not-so-lightweight rules the entire flow of events, which at times increases the requirements for hardware. The main thing - both options will only indicate a problem, but you still have to manually restore the data stream.

MaxPatrol SIEM provides mechanisms for monitoring both the status of tasks and the flow from data sources. But, if the source “fell off” and the number of attempts to automatically reconnect or stop the flow of events from the source expired, then automatic restart of the data collection task is impossible.

The script we proposed works as an element of external verification and runs on the Zabbix server. It solves the problem of monitoring the status of a data collection task and automatically restarting it (as if you were doing it manually through the interface).

We paid special attention to the issue of security - because access to SIEM requires credentials. The script stores sensitive information in the configuration file on the Zabbix server, and the key is sewn up in the script itself, but it is compiled into a binar. This should make life difficult for those who want to illegally obtain these credentials. And the point here is not so much about the “evil hacker” that can decompile the binary, but about the employees who support or accompany the Zabbix server (if the server and SIEM are served by different departments).

In a word, such an element of an external SIEM check will help not only fix the problem, but also solve it automatically.

GitHub Link