Logen is a tool that generates synthetic logs for testing Sigma rules. It reads Sigma rules from files or directories, parses them, and generates synthetic log examples in the "evtx" format using ChatGPT.
Sigma is an open-source project providing a rule format and tools for creating and sharing detection rules for security operations. Logen assists security teams by generating synthetic logs based on Sigma rules, allowing them to test and verify the effectiveness of their rules.
To use Logen, you can choose between two installation options:
Logen provides precompiled ZIP files for different platforms. Download the appropriate ZIP file for your platform from the following links:
Once downloaded, extract the ZIP file to a directory of your choice. Among the extracted files, you will find the Logen executable.
Ensure that the directory containing the Logen executable is added to your system's PATH environment variable, enabling you to run Logen from any location in the command line.
Note: Logen requires Go to be installed on your system. Download and install Go from the official website: https://golang.org/dl/
Alternatively, you can use Docker to run Logen in a containerized environment. Docker provides a convenient and consistent way to set up and use Logen without worrying about dependencies or system configurations.
To install and set up Logen using Docker, make sure Docker is installed on your system. If not, download and install Docker from the official website: https://www.docker.com/get-started
Once Docker is installed, follow these steps:
-
Clone the Repository: If not done already, clone the Logen repository to your local machine:
git clone https://github.com/mtnmunuklu/logen.git
-
Navigate to Docker Directory: Go to the docker directory inside the cloned repository:
cd tools/docker -
Build Docker Image and Start Container: Use the setup script to build the Docker image named logen-image:
go run setup_docker_logen.go -rules <rulesDirectory> -config <configFile> -output <outputDirectory>
This script handles building the Docker image and starting the container for you.
That's it! You have successfully installed Logen on your system. Proceed to the Usage to learn how to use Logen.
If you prefer to build Logen from source, refer to the Build Instructions for detailed steps on building and installing it on your platform.
Logen provides several command-line flags for configuring its behavior:
filepath: Name or path of the file or directory to read.config: Path to the configuration file.filecontent: Base64-encoded content of the file or directory to read.configcontent: Base64-encoded content of the configuration file.output: Output directory for writing files.cs: Case-sensitive mode.apikey: API key for ChatGPT.
For more details on available flags, you can use the -help flag:
logen -helpHere are a few examples of using Logen:
-
To generate synthetic logs from a Sigma rule file and a configuration file:
logen -filepath /path/to/sigma/rule.yml -config /path/to/config.yml -apikey your_api_key
or
docker exec logen ./logen -filepath /path/to/sigma/rule.yml -config /path/to/config.yml -apikey your_api_key -
To generate synthetic logs from Sigma rule content and configuration content:
logen -filecontent base64_encoded_rule_content -configcontent base64_encoded_config_content -apikey your_api_key
or
docker exec logen ./logen -filecontent base64_encoded_rule_content -configcontent base64_encoded_config_content -apikey your_api_key
Contributions to Logen are welcome and encouraged! Please read the contribution guidelines before making any contributions to the project.
Logen is licensed under the MIT License. See LICENSE for the full text of the license.