Design of sending events/logs to SIEM/Arcsight

Posted on 2016-10-21
Medium Priority
Last Modified: 2016-10-26
The attached screen is the most Tripwire has for syslog
 configuration/setting, so does this mean Tripwire simply
 send all its TE messages to a syslog/SIEM (Arcsight in our case)?

 With other security products that I’ve used in the past that send
 events to Arcsight, they too don’t have any option to specify
 what (types) of events/alarms to send too: check out “Configure
 the manager to forward events to a syslog/SIEM” &  “Configure
  each protection module to forward events to a Syslog/SIEM” in
  the links below: there's no description/option of what events
  or logs that can be selected/filtered for forwarding to SIEM:
    and another product

 In the highly flexible UNIX/Linux, we can configure what logs (INFO, ERROR,
 FATAL) to send to a syslog server.

 Is there a design or security reason why various products above (& I suppose
 many other products) don't provide the option of specifying/configuring what
 logs/events to forward?  They don't want the monitored devices administrators
 or hackers who gain control of it to 'hide' or filter off events/logs?    ie all logs
 /events must be captured as a matter of security compliance?

 At SIEM end (Arcsight in our case), is there any option to specify which devices
 or IP are allowed to send logs to it or Arcsight simply takes in everything that
 conform to syslog/CEF as long as firewall rule is permitted for Udp 514 from
 the devices to Arcsight?    So it is at Arcsight end that we configure or define
 what logs/events to send Alarm/notifications to security admins?

 Does Splunk also allow any IP/devices in the network to send logs to it (as
 long as firewall rule is permitted)?  Does it have any option to specify what
 types of logs/events it accept (say logs that contain a certain string/text) ?

 When configuring windows to forward its events/logs to an SIEM/syslog,
 what are the types of events/logs being sent?  Everything in Event Viewer's
 security.evtx or system.evtx or application.evtx or ??    

 Do we need to install a syslog/SIEM agent in Windows to enable it to
 forward to SIEM/syslog or Windows has a built-in setting that allows us
 to specify the SIEM/syslog IP to send to just like Tripwire, Deep Security
 & websense?

I just login to our Windows AD/Domain controller server:
 there are simply no  Arcsight agent/connector service running
 nor installed (under c:\Program Files or c:\Program Files (x86) )
 in it though in the Arcsight, this AD/DC server does send logs/
 events to the Arcsight.
 I issued 'netstat -an 1 | find ":514"  '  for 3 minutes but don't
 see any connection from this AD/DC to the Arcsight?  How
 does it forward events/logs to the Arcsight?
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 41853493
LVL 64

Accepted Solution

btan earned 2000 total points
ID: 41853726
More often than not you'll want to use the Syslog format as it is generally accepted.  The RFC3164 format that we use is composed of three parts.  The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. So most of the device should be able to send syslog and based on its protocol it can have more details like the "Facility" and "severity" level which are indicated in the PRI part.

The Arcsight supported CEF format and is slightly different to Syslog format. It's always a good idea to check with the provider so that it can be support your SIEMS as it expects those formatted log messages to arrive in. There is Arcsight connector to do the CEF formatting if the device source does not support it - see the supported list.

For Tripwire, you should explore event sender. As a whole if using Tripwire Enterprise is already an ArcSight CEF-certified solution, so you can combine its detailed change and configuration data with security event information in ArcSight ESM, these can
include leading indicators and key metadata in the security data it sends to ArcSight—for example, severities, asset- and test-based risk scoring, and alert information.

For deepsecurity , you should be able to configure this setting and more - see the use of DataExportTool @ http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-3/ch_ag_use_tmcm_tools/syslog_forwarder.aspx

The list of Facilities available:
0             kernel messages
1             user-level messages
2             mail system
3             system daemons
4             security/authorization messages
5             messages generated internally by syslogd
6             line printer subsystem
7             network news subsystem
8             UUCP subsystem
9             clock daemon
10            security/authorization messages
11            FTP daemon
12            NTP subsystem
13            log audit
14            log alert
15            clock daemon
16            local use 0  (local0)
17            local use 1  (local1)
18            local use 2  (local2)
19            local use 3  (local3)
20            local use 4  (local4)
21            local use 5  (local5)
22            local use 6  (local6)
23            local use 7  (local7)

The list of severity Levels:
0       Emergency: system is unusable
1       Alert: action must be taken immediately
2       Critical: critical conditions
3       Error: error conditions
4       Warning: warning conditions
5       Notice: normal but significant condition
6       Informational: informational messages
7       Debug: debug-level messages
based on RFC https://tools.ietf.org/html/rfc5424

For websense, you should be able to customize as well taking example of one of the websense solution RiskVision that can configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded. You need to check with the provider for the specific servers.

For window event log, you will need an agent like Snare or Syslog_ng to send the syslog to the SIEMs. the default evt or evtx is not of that syslog  format and SIEMS will not support the windows raw log if it is not in syslog format.

For Splunk to receive the log from other device, it can still work like a syslog server and able to query
Splunk Enterprise can act as a syslog server or a syslog message sender. It should not be substituted for such a server in regular use. This is because Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
.. and can do as SIEMS covering aspects like compliance, application security, fraud detection, IT operations, application management, web intelligence and business analytics.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question