Integrate with Datadog using a syslog forwarder

In this topic, you will learn how to send Portnox™ Cloud alerts to the Datadog SIEM solution using a syslog forwarder.

Note:
Portnox Cloud now has a direct Datadog integration, so this method is no longer recommended. However, we are keeping this documentation for reference purposes.

To integrate with Datadog using a syslog forwarder:

  • Deploy a machine or a virtual machine as a syslog message collector.
  • Install syslog-ng (or similar software) on this machine and accept incoming syslog events from Portnox Cloud.
  • Send the syslog events to the Datadog HTTP intake API.

In this example configuration, we are using a virtual machine in Microsoft Azure with syslog-ng.

Create a Linux virtual machine

To integrate with Datadog, you need to run syslog software on a physical or virtual machine, so that it can collect alert data from Portnox™ Cloud and send that data to Datadog. In this section, you will learn how to create and configure such a virtual machine in Microsoft Azure based on the Linux Ubuntu operating system.

  1. Open the Azure Portal dashboard in your browser.
  2. In the Azure services menu on your dashboard, click on the Create a Resource option.

  3. In the Marketplace pane, in the Search the Marketplace field, type virtual machine and press the  ↩  key. In the Virtual machine tile below, click on the Create button and select the Virtual machine option from the context menu.

  4. In the Create a virtual machine pane, enter the details for your virtual machine and then click on the Create button to create it.
    Note:
    Select one of the available Linux images, for example, Ubuntu Server 20.04 LTS - x64 Gen2 and its parameters according to your business, access, and security needs. Since the parameters of the virtual machine greatly depend on your specific environment and needs, the guidance on these parameters is beyond the scope of this guide and you should treat the example below as a lab environment only.
  5. In the virtual machine pane, note down the public IP assigned to this machine.

    You will need this public IP to configure Portnox Cloud to send alerts to the virtual machine.

  6. Create a port rule to open port 514.

    This is the standard port used by syslog software to collect alerts from external sources such as Portnox Cloud. The virtual machine must be able to accept information from Portnox Cloud on this port. You can use a different port number than 514, if needed, but then you have to modify the configuration of syslog-ng and Portnox Cloud.

    1. In the virtual machine pane, in the left-hand side menu, click on the Network settings option.

    2. On the right-hand side, click on the Create port rule button, and then select the Inbound port rule option from the context menu.

    3. In the Add inbound security rule pane, fill in the following fields and then click on the Add button:
      • In the Source field, select IP Addresses
      • In the Source IP addresses/CIDR ranges, type 23.97.155.157, 52.168.164.222 (these are the Portnox Cloud IP addresses from which information is sent to SIEM software)
      • In the Destination field, select Any
      • In the Destination port ranges field, type 514
      • In the Protocol field, select TCP
      • In the Action field, select Allow

Install and configure syslog-ng

In this section, you will install syslog-ng on the Ubuntu virtual machine that you just created, and configure it to accept events from the network and send them to Datadog.

  1. In the virtual machine pane, in the left-hand side menu, click on the Connect option.

  2. In the Connect pane, select the preferred SSH connection method to connect to the virtual machine.
    Note:
    Since the connection method depends on your specific environment, needs, and software, the guidance on the specific method is beyond the scope of this guide. For example, you can use native SSH connection using PuTTY software on Windows and the local key downloaded while creating the virtual machine.

  3. In your SSH window, type the following commands: sudo apt-get update and sudo apt-get install syslog-ng to install syslog-ng software.
  4. Then, type the following command: sudo nano /etc/syslog-ng/syslog-ng.conf to edit syslog-ng configuration.
  5. Follow the steps described in the Datadog documentation for syslog-ng to add the following configuration sections to the syslog-ng.conf file but modify them as follows:
    1. Add a new source definition to obtain logs from the network via port 514. 
      source s_network { tcp(ip(0.0.0.0) port(514)); };

      This source represents the logs incoming from Portnox Cloud.

    2. Do not add the s_files source as described in Datadog documentation, because it is not needed if the logs are collected from an external source (Portnox Cloud).
    3. In the destination section, add a pointer to the certificate authority file. 
      destination d_datadog {
    http(
        url("https://http-intake.logs.datadoghq.eu/api/v2/logs?ddsource=<SOURCE>&ddtags=<TAG_1:VALUE_1,TAG_2:VALUE_2>")
        method("POST")
        ca-file("/etc/ssl/certs/ca-certificates.crt")
        headers("Content-Type: application/json", "Accept: application/json", "DD-API-KEY: DATADOG_API_KEY")
        body("<${PRI}>1 ${ISODATE} ${HOST:--} ${PROGRAM:--} ${PID:--} ${MSGID:--} ${SDATA:--} $MSG\n")
        );
    };
      Note:
      You don’t have to add the ca-file line unless you encounter certificate-related errors when trying to connect to the Datadog HTTPS intake. You may need to modify the path to the file, if your operating system CA file is in a different location.

      Instead of the ca-file line, you can add peer-verify(no), but this is recommended only for lab purposes, because it turns off the verification of the remote peer certificate and makes man-in-the-middle attacks possible.

    4. In the log path section, instead of the configuration proposed by Datadog, add the following log path definition: 
      log { source(s_network); destination(d_datadog); };

      This means that the only logs sent to Datadog will be logs from Portnox Cloud, not the local virtual machine logs.

    5. Save your configuration to the /etc/syslog-ng/syslog-ng.conf file.

      For example, if using the nano editor, press CTRL+O to write the file and then CRTL+X to exit.

  6. In your SSH window, type the following command: sudo systemctl restart syslog-ng to restart syslog-ng after configuration changes.

Result: The syslog-ng software is configured, running, and waiting for events from Portnox Cloud.

Configure Portnox Cloud

In this section, you will learn how to configure Portnox™ Cloud to send alert data to the virtual machine with syslog-ng so that it forwards the data to the Datadog intake.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration with Datadog via the collector virtual machine.
    1. In the SIEM integration service section, click on the Add new SIEM link.

      The NEW SIEM INTEGRATION section opens.

    2. In the Type field, select the Custom option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name Datadog but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the Protocol type field, select the Syslog over TCP option.

    6. In the IP field, enter the public address of your Linux virtual machine.

      If you followed this guide from the beginning and created the virtual machine in Azure, this is the IP address that you copied earlier.

    7. In the Port field, type 514.

      This is the port number that you opened on the virtual machine, which is the standard port number for syslog-ng external log collection.

    8. In the Communication method field, select the Direct option.

    9. In the Data format field, select the CEF option.

    10. Click on the Save button to add the integration.

    11. Optional: Test the configuration by clicking on the Test button.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note:
    To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: Datadog is receiving alerts from Portnox Cloud.

You can confirm that, for example, by accessing the Log Explorer.