search cancel

Using a remote syslog server for MAA


Article ID: 168298


Updated On:


Malware Analysis Software - MA



Note: This feature is provided on an "as-is" basis and has not been fully tested nor qualified by Blue Coat.  Please use at your own risk.
The MA can send all system level events generated now to a remote Syslog server using the built in rsyslogd component which is native to most base Linux distributions. The logs which are sent to a remote server are all system level events and do not include information around the tasks and verdicts generated during an MA analysis.
This capability will be expanded on and included in the base system at a future point.
This tool installs a monitor script for completed tasks, creates the necessary configurations to enable remote syslog, and ensures that the monitor is started with the other MA components. The monitor scripts itself connects to the local (redis) notifications channels for completed tasks and task status changes. Upon task completion, it takes the most relevant information and formats them such that they fit into a syslog message (limited to 2048 bytes).
Information includes:
  • sample ID
  • task ID
  • SHA-256, MD5, and sample name
  • task state (usually CORE_COMPLETE)
  • the pattern hits with the highest scores (ordered). The number of hits is adjusted to fit the maximum syslog line length. At most, 10 pattern hits are returned.
  1. sftp or SSH the file (attached to this KB article) to the MA /tmp location
  2. SSH into the MA and cd /tmp
  3. Run the script via "sudo bash"  Everything is installed automatically.
  4. Follow the configuration notes for changing the server and then you should be good to go
modify $RSYSLOG_CONF (typically /etc/rsyslog.d/30-ma-tasklog.conf) to point to your syslog server"
':syslogtag, contains, "MA_tasks" @@'
NOTE: - @@ = TCP Syslog, @ = UDP Syslog
  1. afterwards run:  service rsyslog restart

Attachments get_app