The attached screen is the most Tripwire has for syslog
configuration/setting, so does this mean Tripwire simply
send all its TE messages to a syslog/SIEM (Arcsight in our case)?
With other security products that I’ve used in the past that send
events to Arcsight, they too don’t have any option to specify
what (types) of events/alarms to send too: check out “Configure
the manager to forward events to a syslog/SIEM” & “Configure
each protection module to forward events to a Syslog/SIEM” in
the links below: there's no description/option of what events
or logs that can be selected/filtered for forwarding to SIEM:
and another product
In the highly flexible UNIX/Linux, we can configure what logs (INFO, ERROR,
FATAL) to send to a syslog server.
Is there a design or security reason why various products above (& I suppose
many other products) don't provide the option of specifying/configuring what
logs/events to forward? They don't want the monitored devices administrators
or hackers who gain control of it to 'hide' or filter off events/logs? ie all logs
/events must be captured as a matter of security compliance?
At SIEM end (Arcsight in our case), is there any option to specify which devices
or IP are allowed to send logs to it or Arcsight simply takes in everything that
conform to syslog/CEF as long as firewall rule is permitted for Udp 514 from
the devices to Arcsight? So it is at Arcsight end that we configure or define
what logs/events to send Alarm/notifications to security admins?
Does Splunk also allow any IP/devices in the network to send logs to it (as
long as firewall rule is permitted)? Does it have any option to specify what
types of logs/events it accept (say logs that contain a certain string/text) ?
When configuring windows to forward its events/logs to an SIEM/syslog,
what are the types of events/logs being sent? Everything in Event Viewer's
security.evtx or system.evtx or application.evtx or ??
Do we need to install a syslog/SIEM agent in Windows to enable it to
forward to SIEM/syslog or Windows has a built-in setting that allows us
to specify the SIEM/syslog IP to send to just like Tripwire, Deep Security
I just login to our Windows AD/Domain controller server:
there are simply no Arcsight agent/connector service running
nor installed (under c:\Program Files or c:\Program Files (x86) )
in it though in the Arcsight, this AD/DC server does send logs/
events to the Arcsight.
I issued 'netstat -an 1 | find ":514" ' for 3 minutes but don't
see any connection from this AD/DC to the Arcsight? How
does it forward events/logs to the Arcsight?