Solved

Design of sending events/logs to SIEM/Arcsight

Posted on 2016-10-21
2
124 Views
Last Modified: 2016-10-26
The attached screen is the most Tripwire has for syslog
 configuration/setting, so does this mean Tripwire simply
 send all its TE messages to a syslog/SIEM (Arcsight in our case)?

 With other security products that I’ve used in the past that send
 events to Arcsight, they too don’t have any option to specify
 what (types) of events/alarms to send too: check out “Configure
 the manager to forward events to a syslog/SIEM” &  “Configure
  each protection module to forward events to a Syslog/SIEM” in
  the links below: there's no description/option of what events
  or logs that can be selected/filtered for forwarding to SIEM:
https://help.deepsecurity.trendmicro.com/siem-syslog-forwarding.html
    and another product
https://www.websense.com/content/support/library/web/v78/triton_web_help/settings_siem_explain.aspx

 In the highly flexible UNIX/Linux, we can configure what logs (INFO, ERROR,
 FATAL) to send to a syslog server.

 Q1:
 Is there a design or security reason why various products above (& I suppose
 many other products) don't provide the option of specifying/configuring what
 logs/events to forward?  They don't want the monitored devices administrators
 or hackers who gain control of it to 'hide' or filter off events/logs?    ie all logs
 /events must be captured as a matter of security compliance?

 Q2:
 At SIEM end (Arcsight in our case), is there any option to specify which devices
 or IP are allowed to send logs to it or Arcsight simply takes in everything that
 conform to syslog/CEF as long as firewall rule is permitted for Udp 514 from
 the devices to Arcsight?    So it is at Arcsight end that we configure or define
 what logs/events to send Alarm/notifications to security admins?

 Q3:
 Does Splunk also allow any IP/devices in the network to send logs to it (as
 long as firewall rule is permitted)?  Does it have any option to specify what
 types of logs/events it accept (say logs that contain a certain string/text) ?

 Q4:
 When configuring windows to forward its events/logs to an SIEM/syslog,
 what are the types of events/logs being sent?  Everything in Event Viewer's
 security.evtx or system.evtx or application.evtx or ??    

 Q5:
 Do we need to install a syslog/SIEM agent in Windows to enable it to
 forward to SIEM/syslog or Windows has a built-in setting that allows us
 to specify the SIEM/syslog IP to send to just like Tripwire, Deep Security
 & websense?

Q6:
I just login to our Windows AD/Domain controller server:
 there are simply no  Arcsight agent/connector service running
 nor installed (under c:\Program Files or c:\Program Files (x86) )
 in it though in the Arcsight, this AD/DC server does send logs/
 events to the Arcsight.
 I issued 'netstat -an 1 | find ":514"  '  for 3 minutes but don't
 see any connection from this AD/DC to the Arcsight?  How
 does it forward events/logs to the Arcsight?
0
Comment
Question by:sunhux
2 Comments
 

Author Comment

by:sunhux
ID: 41853493
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41853726
More often than not you'll want to use the Syslog format as it is generally accepted.  The RFC3164 format that we use is composed of three parts.  The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. So most of the device should be able to send syslog and based on its protocol it can have more details like the "Facility" and "severity" level which are indicated in the PRI part.

The Arcsight supported CEF format and is slightly different to Syslog format. It's always a good idea to check with the provider so that it can be support your SIEMS as it expects those formatted log messages to arrive in. There is Arcsight connector to do the CEF formatting if the device source does not support it - see the supported list.
https://www.hpe.com/h20195/V2/GetPDF.aspx/4AA5-3404ENW.pdf

For Tripwire, you should explore event sender. As a whole if using Tripwire Enterprise is already an ArcSight CEF-certified solution, so you can combine its detailed change and configuration data with security event information in ArcSight ESM, these can
include leading indicators and key metadata in the security data it sends to ArcSight—for example, severities, asset- and test-based risk scoring, and alert information.
http://www.tripwire.com/register/tripwire-event-sender/
http://www.riskmanageworks.com/datasheets/Tripwire_Arcsight_Event_Integration_datasheet.pdf

For deepsecurity , you should be able to configure this setting and more - see the use of DataExportTool @ http://docs.trendmicro.com/en-us/enterprise/control-manager-60-service-pack-3/ch_ag_use_tmcm_tools/syslog_forwarder.aspx

The list of Facilities available:
0             kernel messages
1             user-level messages
2             mail system
3             system daemons
4             security/authorization messages
5             messages generated internally by syslogd
6             line printer subsystem
7             network news subsystem
8             UUCP subsystem
9             clock daemon
10            security/authorization messages
11            FTP daemon
12            NTP subsystem
13            log audit
14            log alert
15            clock daemon
16            local use 0  (local0)
17            local use 1  (local1)
18            local use 2  (local2)
19            local use 3  (local3)
20            local use 4  (local4)
21            local use 5  (local5)
22            local use 6  (local6)
23            local use 7  (local7)

The list of severity Levels:
0       Emergency: system is unusable
1       Alert: action must be taken immediately
2       Critical: critical conditions
3       Error: error conditions
4       Warning: warning conditions
5       Notice: normal but significant condition
6       Informational: informational messages
7       Debug: debug-level messages
based on RFC https://tools.ietf.org/html/rfc5424

For websense, you should be able to customize as well taking example of one of the websense solution RiskVision that can configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded. You need to check with the provider for the specific servers.
http://www.websense.com/content/support/library/riskvision/v20/system_mgmt/system_logging.aspx

For window event log, you will need an agent like Snare or Syslog_ng to send the syslog to the SIEMs. the default evt or evtx is not of that syslog  format and SIEMS will not support the windows raw log if it is not in syslog format.

For Splunk to receive the log from other device, it can still work like a syslog server and able to query
Splunk Enterprise can act as a syslog server or a syslog message sender. It should not be substituted for such a server in regular use. This is because Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
http://docs.splunk.com/Documentation/Splunk/6.5.0/Data/HowSplunkEnterprisehandlessyslogdata
http://docs.splunk.com/Documentation/Splunk/6.2.9/Data/Monitornetworkports
.. and can do as SIEMS covering aspects like compliance, application security, fraud detection, IT operations, application management, web intelligence and business analytics.
https://www.splunk.com/web_assets/pdfs/secure/Splunk_as_a_SIEM_Tech_Brief.pdf
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now