Splunk is one of the most well-known SIEMs. Many companies use it to gather security information all around the company/corporation to determine possible attacks and/or security breaches.
HP Printers, although with an increasing level of security are still weak enough to be a substancial target for adversaries willing to break into the company's network.
Configuring Splunk to gather Syslog information from HP printers is not as straight-forward task as expected. Although HP printers can set up syslog through their embedded web server, syslog messages do NOT have the standard syslog structure. HP printers syslog format is based on a code and then a message, removing other standard information like timestamp, device or severity.
Actually all of them goes encoded in the HP syslog messages but they need to be decoded in order any SIEM to understand these syslog messages.
The standard syslog message has the following format:
%timestamp% %source ip% %severity level%: %device%: %message%
...or any glavour of this format. See https://tools.ietf.org/html/rfc5424
However the HP printers syslog message has the following format:
%< internal_code >% %device%: %message% %optional_fields%
As it can be seen some standard information (timestamp, source_ip) is missing. This missing information is optionally sent through the optional fields. In this way, the message continue with fields like "time=20-02-2019..." or "ip=12.23.34.45".
However standard SIEMs are NOT prepared for this syslog format and need some preprocessing before gathering them.
The HP printer Splunk App
Splunk provides an app (or plugin) that gathers HP printer's information. Its name is “HP Printer Security” and it can be found at https://splunkbase.splunk.com/app/3588/.
To obtain this app it's necessary to register in the splunkbase website and log in.Once done:
- Log into Splunk Enterprise.
- On the Apps menu, click Manage Apps.
- Click Install app from file.
- In the Upload app window, click Choose File.
- Locate the .tar.gz file you just downloaded, and then click Open or Choose.
- Click Upload.
- Click Restart Splunk, and then confirm that you want to restart.
The new app appears in the left hand side of the web interface.
A short read to this plugin's README file let's us understand it's NOT an official plugin. It instead was developed by a group of students.
Reading a little bit more, we find that the plgin actually reads a syslog file (In
%timestamp% %source ip% %severity level%: %device%: %message%
...like:
e.g. 2016-12-06T17:54:25.324722+08:00 172.20.134.251 LPR.INFO: printer: peripheral low-power state.
This expected format has nothing to do with the standard HP printers syslog format.
Fixing the problem
So we need to make splunk understand that the HP printer logs comes with a different format. There are two ways to accomplish this. You can either install a syslog server so that syslog messages are copied into a local file with the appropriate format. Or you can configure splunk to convert syslog message and introduce them in the splunk database directly with the appropriate format.
The first workaround means installing syslog-ng and configuring it so that the syslog messages are save to file with a different format. This is NOT explained in this post.
The second workaround means modifying the HP printer plugin & splunk configuration to accept syslog message directly from the network interface.
Setting up splunk
To make this app work with LFP printers, it’s necessary to modify three files in the
[code] INDEXED=TRUE [severity] INDEXED=TRUE [severity_val] INDEXED=TRUE [device] INDEXED=TRUE
Then, in file %splunk%/etc/system/local/transforms.conf , we’ll calculate the values of these fields. Append the following lines into this field:
[eval1] INGEST_EVAL=code=replace(substr(_raw,1,4),"([<>])","") [eval2] INGEST_EVAL=severity_val=code%8 [eval3] INGEST_EVAL=severity=case(severity_val == "1", "LPR.ALERT", severity_val == "2", "LPR.CRITICAL", severity_val == "3", "LPR.ERROR", severity_val == "4", "LPR.WARNING", severity_val == "5", "LPR.NOTICE", severity_val == "6", "LPR.INFORMATIONAL") [eval4] INGEST_EVAL=device=mvindex(split(mvindex(split(_raw,":"),0)," "),1) [eval5] INGEST_EVAL=sourcetype="hp_printer_syslog"
Note: eval5 section could not be necessary if you were able to configure sourcetype as “hp_printer_syslog”.
The third file to modify is %splunk%/etc/system/local/props.conf. Here we tell splunk “please, use the sections I added in transforms.conf file”. To do this append the following lines to props.conf:
[linux_messages_syslog] TRANSFORMS= eval1, eval2, eval3, eval4, eval5
Now it’s necessary to restart splunk in order to charge the file modifications. This is different in every case. In linux:
%splunk%/bin/splunk restart
In windows go to Control Panel --> Administrative tools --> Services --> Locate splunk service --> Restart
In order to avoid splunk reading the test values from a file, go to %splunk%/etc/apps/printersec/default/inputs.conf and remove the sections related to file hp_print_gen.log.
Next you need to clean all test data included with the HP Printer plugin. To do this open splunk and go to Settings --> Monitoring Console and, in the Search box write:
index=”printersec” | delete
Now you can start gathering syslog information from your HP printers.
The following will be how the HP Printer plugin for Splunk will show:
Este comentario ha sido eliminado por el autor.
ResponderEliminarEste comentario ha sido eliminado por el autor.
ResponderEliminarHello I'm Anna Stewart . I'm a 123hp printer hp print service pluginInstalling and configuring the HP Print Service Plugin on mobile devices is a straightforward process. Visit the Google Play Store, search for the plugin, and download it to your Android device. Once installed, open the app and follow the on-screen instructions to set it as the default printing service. Make sure your mobile device and printer are linked to the same wireless network. Access the device's settings to locate and select the HP Print Service Plugin.
ResponderEliminarHello I'm Anna Stewart . I'm a 123hp printer hp print service pluginTo install and set up the HP Print Service Plugin on your Android device, first, ensure your device is connected to the same network as your HP printer. Then, visit the Google Play Store and search for "HP Print Service Plugin." Download and install the app. Once installed, open the app, follow the on-screen prompts to enable the plugin, and select your printer from the list of available devices. Finally, adjust any settings according to your preferences. Now, you're ready to print directly from your Android device using the HP Print Service Plugin, making printing tasks convenient and efficient.
ResponderEliminar