This program relies entirely on syslog, and because all appliances format logs differently, you will need to customize the log parsing function(s). If your organization uses a security information and event management system (SIEM), it can probably normalize logs to save you a ton of time writing regex. 1. Send all syslog to SIEM. 2. Use SIEM to normalize logs. 3. Send normalized logs to the box (any Linux machine running syslog-ng will work) running this software so the data server can parse them.
Run the following commands to install all required dependencies (tested on Ubuntu 14.04 x64)
# sudo apt-get install python3-pip redis-server# sudo pip3 install tornado tornado-redis redis maxminddb
Make sure in /etc/redis/redis.conf to change bind 127.0.0.1 to bind 0.0.0.0 if you plan on running the DataServer on a different machine than the AttackMapServer.
Make sure that the WebSocket address in /AttackMapServer/index.html points back to the IP address of the AttackMapServer so the browser knows the address of the WebSocket.
Download the MaxMind GeoLite2 database, and change the db_path variable in DataServer.py to the wherever you store the database.
Add headquarters latitude/longitude to hqLatLng variable in index.html
Use syslog-gen.sh to simulate dummy traffic “out of the box.”
IMPORTANT: Remember, this code will only run correctly in a production environment after personalizing the parsing functions. The default parsing function is only written to parse ./syslog-gen.sh traffic.