Solved

Design of sending events/logs to SIEM/Arcsight

Posted on 2016-10-21
2
54 Views
Last Modified: 2016-10-26
The attached screen is the most Tripwire has for syslog
 configuration/setting, so does this mean Tripwire simply
 send all its TE messages to a syslog/SIEM (Arcsight in our case)?

 With other security products that I’ve used in the past that send
 events to Arcsight, they too don’t have any option to specify
 what (types) of events/alarms to send too: check out “Configure
 the manager to forward events to a syslog/SIEM” &  “Configure
  each protection module to forward events to a Syslog/SIEM” in
  the links below: there's no description/option of what events
  or logs that can be selected/filtered for forwarding to SIEM:
https://help.deepsecurity.trendmicro.com/siem-syslog-forwarding.html
    and another product
https://www.websense.com/content/support/library/web/v78/triton_web_help/settings_siem_explain.aspx

 In the highly flexible UNIX/Linux, we can configure what logs (INFO, ERROR,
 FATAL) to send to a syslog server.

 Q1:
 Is there a design or security reason why various products above (& I suppose
 many other products) don't provide the option of specifying/configuring what
 logs/events to forward?  They don't want the monitored devices administrators
 or hackers who gain control of it to 'hide' or filter off events/logs?    ie all logs
 /events must be captured as a matter of security compliance?

 Q2:
 At SIEM end (Arcsight in our case), is there any option to specify which devices
 or IP are allowed to send logs to it or Arcsight simply takes in everything that
 conform to syslog/CEF as long as firewall rule is permitted for Udp 514 from
 the devices to Arcsight?    So it is at Arcsight end that we configure or define
 what logs/events to send Alarm/notifications to security admins?

 Q3:
 Does Splunk also allow any IP/devices in the network to send logs to it (as
 long as firewall rule is permitted)?  Does it have any option to specify what
 types of logs/events it accept (say logs that contain a certain string/text) ?

 Q4:
 When configuring windows to forward its events/logs to an SIEM/syslog,
 what are the types of events/logs being sent?  Everything in Event Viewer's
 security.evtx or system.evtx or application.evtx or ??    

 Q5:
 Do we need to install a syslog/SIEM agent in Windows to enable it to
 forward to SIEM/syslog or Windows has a built-in setting that allows us
 to specify the SIEM/syslog IP to send to just like Tripwire, Deep Security
 & websense?

Q6:
I just login to our Windows AD/Domain controller server:
 there are simply no  Arcsight agent/connector service running
 nor installed (under c:\Program Files or c:\Program Files (x86) )
 in it though in the Arcsight, this AD/DC server does send logs/
 events to the Arcsight.
 I issued 'netstat -an 1 | find ":514"  '  for 3 minutes but don't
 see any connection from this AD/DC to the Arcsight?  How
 does it forward events/logs to the Arcsight?
0
Comment
Question by:sunhux
2 Comments
 

Author Comment

by:sunhux
Comment Utility
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
More often than not you'll want to use the Syslog format as it is generally accepted.  The RFC3164 format that we use is composed of three parts.  The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. So most of the device should be able to send syslog and based on its protocol it can have more details like the "Facility" and "severity" level which are indicated in the PRI part.

The Arcsight supported CEF format and is slightly different to Syslog format. It's always a good idea to check with the provider so that it can be support your SIEMS as it expects those formatted log messages to arrive in. There is Arcsight connector to do the CEF formatting if the device source does not support it - see the supported list.
https://www.hpe.com/h20195/V2/GetPDF.aspx/4AA5-3404ENW.pdf

For Tripwire, you should explore event sender. As a whole if using Tripwire Enterprise is already an ArcSight CEF-certified solution, so you can combine its detailed change and configuration data with security event information in ArcSight ESM, these can
include leading indicators and key metadata in the security data it sends to ArcSight—for example, severities, asset- and test-based risk scoring, and alert information.
http://www.tripwire.com/register/tripwire-event-sender/
http://www.riskmanageworks.com/datasheets/Tripwire_Arcsight_Event_Integration_datasheet.pdf

For deepsecurity , you should be able to configure this setting and more - see the use of DataExportTool @ http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-3/ch_ag_use_tmcm_tools/syslog_forwarder.aspx

The list of Facilities available:
0             kernel messages
1             user-level messages
2             mail system
3             system daemons
4             security/authorization messages
5             messages generated internally by syslogd
6             line printer subsystem
7             network news subsystem
8             UUCP subsystem
9             clock daemon
10            security/authorization messages
11            FTP daemon
12            NTP subsystem
13            log audit
14            log alert
15            clock daemon
16            local use 0  (local0)
17            local use 1  (local1)
18            local use 2  (local2)
19            local use 3  (local3)
20            local use 4  (local4)
21            local use 5  (local5)
22            local use 6  (local6)
23            local use 7  (local7)

The list of severity Levels:
0       Emergency: system is unusable
1       Alert: action must be taken immediately
2       Critical: critical conditions
3       Error: error conditions
4       Warning: warning conditions
5       Notice: normal but significant condition
6       Informational: informational messages
7       Debug: debug-level messages
based on RFC https://tools.ietf.org/html/rfc5424

For websense, you should be able to customize as well taking example of one of the websense solution RiskVision that can configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded. You need to check with the provider for the specific servers.
http://www.websense.com/content/support/library/riskvision/v20/system_mgmt/system_logging.aspx

For window event log, you will need an agent like Snare or Syslog_ng to send the syslog to the SIEMs. the default evt or evtx is not of that syslog  format and SIEMS will not support the windows raw log if it is not in syslog format.

For Splunk to receive the log from other device, it can still work like a syslog server and able to query
Splunk Enterprise can act as a syslog server or a syslog message sender. It should not be substituted for such a server in regular use. This is because Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/HowSplunkEnterprisehandlessyslogdata
http://docs.splunk.com/Documentation/Splunk/6.2.9/Data/Monitornetworkports
.. and can do as SIEMS covering aspects like compliance, application security, fraud detection, IT operations, application management, web intelligence and business analytics.
https://www.splunk.com/web_assets/pdfs/secure/Splunk_as_a_SIEM_Tech_Brief.pdf
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Is your computer hacked? learn how to detect and delete malware in your PC
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now