Setting up a SysLog Connection
Verify Privilege Manager can push out SysLog formatted messages on a set schedule. Note that this does not happen immediately upon events occurring. Listed below are steps for configuration and task creation for scheduling the action of sending Discovery Event logs to a SysLog server.
Splunk Cloud doesn't support input directly from Verify Privilege Manager. Refer to the Splunk documentation and reach out to Splunk support as needed.
Configuring SysLog Connection
The Send policy feedback option needs to be enabled on all policies that are supposed to send SysLog formatted events.
To configure SysLog messages in Verify Privilege Manager:
-
Navigate to Admin | Configuration and select the Foreign Systems tab.
-
At the SysLog page, click Create. Select a template for the messages, provide a Name and the SysLog Server Address (either tcp or udp). The default is udp on port 514.
-
Once the server is created, you can use Edit to change any of the configuration settings.
The protocol drop-down options are UDP, TCP, and Devo Cloud Services (HTTPS).
-
Select a protocol and supply the requested parameters, then click Save Changes. (In this example, the Devo cloud services (HTTPS) protocol is selected, and the URL of your Devo cloud instance should be supplied.)
Setting up SysLog Server Tasks
-
After adding a new Syslog connection, to manually send logs to your Syslog Server go to Admin | Tasks.
-
Expand the Server Tasks folder, then Foreign Systems, select SysLog and click Create.
-
From the Template drop-down, for example select Send SysLog Application Events.
-
Add a Name for this task, an Event Name (e.g. “Verify Privilege Manager Application Events”), and Event Severity.
-
From the SysLog System drop-down select your SysLog server foreign system (configured above).
-
Optionally also enter a Security Ratings Provider, depending on your other integrations. Use the "X" next to the pull-down to remove a selection.
-
Click Create.
Once created, you'll be taken to the new Scheduled Task's page where you can run the task on demand and/or specify how often you want events received by Verify Privilege Manager (i.e., all events viewed in Admin | Event Discovery) to be pushed out to the SysLog server. The schedule can be hourly, every 30 minutes, daily, or whatever time period is preferred.
After this task runs and successfully completes, verify that Event Discovery events appear in your SysLog system.
Template Options
The following template options are available:
- Send SysLog Application Action Events - Use this template to send application action events to your SysLog system. Application Action Events contain generic information about the application that run, which policy was triggered, the date/time stamp, computer, and user for example.
- Send SysLog Application Justification Events - Use this template to send application justification events to your SysLog system. For example, if a user runs an application requiring a justification workflow.
- Send SysLog Bad Rated Application Action Events - Use this template to send an event to your SysLog system, when an application is being installed or executed, that is identified with a bad security rating.
- Send SysLog Change History Events - Use this template to send change history events to your SysLog system. When this task runs for the first time, it sends all change history to your SysLog server. On subsequent runs it only sends the delta of new change history events.
- Send SysLog Events - Use this template to send all SysLog events to your SysLog system. These events are based on the different options you selected on the SysLog server during setup.
- Send SysLog Newly Discovered File Events - Use this template to send newly discovered file events to your SysLog system. For this to produce any events the Default File Inventory Policy needs to be enabled and resource discovery schedules need to be customized.
- Send SysLog Password Disclosure Events - Use this template to send all password disclosure events to your SysLog system.
Data Sources
The following five data sources can be used with the respective templates above:
- Application Control Justification Events (7d6bdbf0-8f2a-4e9c-9c7e-fa6b75803c45)
- Application Control Policy Feedback (eeb7aaf6-f675-4586-a7e3-3eb54b59ba4d)
- Recently Discovered Applications Query (b875d3a6-433c-42cc-8332-05350343e498)
- Local Security Password Disclosure Events (13d6cf4d-0132-4401-88ab-80b55301c60c)
- Application Control Policy Feedback Restricted to Security Level (4eb4ec69-d7a9-4797-972a-41855d3e7799)
If custom data sources are used, they need to specify the following fields:
- externalId
- Facility
- Severity
- EventTime
- Host
- DeviceVendor
- DeviceProduct
- DeviceVersion
- Name
- CEFSeverity
Client Certificate Authentication
In order to prevent unauthorized systems from sending data to a syslog/SEIM system, users can now use client certificate authentication. In the configuration of a syslog system the Certificate field allows you to upload a certificate .pfx file. The option is only relevant if you select TCP + TLS. Once configured Verify Privilege Manager will use this certificate to authenticate all connections when sending syslog events.
A .pfx file must be used since the private key is required.
- Select Admin | Foreign Systems.
- On the Configuration page, select the Foreign Systems tab. Then, click SysLog.
The certificate appears in the Certificte field. A Remove link is available if needed.
Troubleshooting if SysLog Option is Missing under Foreign Systems
If you are a Verify Privilege Manager Cloud customer, contact IBM Security support to have it added to your instance.
On-premises customers, navigate to https://[YourOrganizationURL]/TMS/Setup/ProductOptions/SelectProducts and check the IBM Security SysLog Connector option. Install the SysLog Connector and accept the License Terms and Conditions.