Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1347
  • Last Modified:

Design of sending events/logs to SIEM/Arcsight

The attached screen is the most Tripwire has for syslog
 configuration/setting, so does this mean Tripwire simply
 send all its TE messages to a syslog/SIEM (Arcsight in our case)?

 With other security products that I’ve used in the past that send
 events to Arcsight, they too don’t have any option to specify
 what (types) of events/alarms to send too: check out “Configure
 the manager to forward events to a syslog/SIEM” &  “Configure
  each protection module to forward events to a Syslog/SIEM” in
  the links below: there's no description/option of what events
  or logs that can be selected/filtered for forwarding to SIEM:
    and another product

 In the highly flexible UNIX/Linux, we can configure what logs (INFO, ERROR,
 FATAL) to send to a syslog server.

 Is there a design or security reason why various products above (& I suppose
 many other products) don't provide the option of specifying/configuring what
 logs/events to forward?  They don't want the monitored devices administrators
 or hackers who gain control of it to 'hide' or filter off events/logs?    ie all logs
 /events must be captured as a matter of security compliance?

 At SIEM end (Arcsight in our case), is there any option to specify which devices
 or IP are allowed to send logs to it or Arcsight simply takes in everything that
 conform to syslog/CEF as long as firewall rule is permitted for Udp 514 from
 the devices to Arcsight?    So it is at Arcsight end that we configure or define
 what logs/events to send Alarm/notifications to security admins?

 Does Splunk also allow any IP/devices in the network to send logs to it (as
 long as firewall rule is permitted)?  Does it have any option to specify what
 types of logs/events it accept (say logs that contain a certain string/text) ?

 When configuring windows to forward its events/logs to an SIEM/syslog,
 what are the types of events/logs being sent?  Everything in Event Viewer's
 security.evtx or system.evtx or application.evtx or ??    

 Do we need to install a syslog/SIEM agent in Windows to enable it to
 forward to SIEM/syslog or Windows has a built-in setting that allows us
 to specify the SIEM/syslog IP to send to just like Tripwire, Deep Security
 & websense?

I just login to our Windows AD/Domain controller server:
 there are simply no  Arcsight agent/connector service running
 nor installed (under c:\Program Files or c:\Program Files (x86) )
 in it though in the Arcsight, this AD/DC server does send logs/
 events to the Arcsight.
 I issued 'netstat -an 1 | find ":514"  '  for 3 minutes but don't
 see any connection from this AD/DC to the Arcsight?  How
 does it forward events/logs to the Arcsight?
1 Solution
sunhuxAuthor Commented:
btanExec ConsultantCommented:
More often than not you'll want to use the Syslog format as it is generally accepted.  The RFC3164 format that we use is composed of three parts.  The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. So most of the device should be able to send syslog and based on its protocol it can have more details like the "Facility" and "severity" level which are indicated in the PRI part.

The Arcsight supported CEF format and is slightly different to Syslog format. It's always a good idea to check with the provider so that it can be support your SIEMS as it expects those formatted log messages to arrive in. There is Arcsight connector to do the CEF formatting if the device source does not support it - see the supported list.

For Tripwire, you should explore event sender. As a whole if using Tripwire Enterprise is already an ArcSight CEF-certified solution, so you can combine its detailed change and configuration data with security event information in ArcSight ESM, these can
include leading indicators and key metadata in the security data it sends to ArcSight—for example, severities, asset- and test-based risk scoring, and alert information.

For deepsecurity , you should be able to configure this setting and more - see the use of DataExportTool @

The list of Facilities available:
0             kernel messages
1             user-level messages
2             mail system
3             system daemons
4             security/authorization messages
5             messages generated internally by syslogd
6             line printer subsystem
7             network news subsystem
8             UUCP subsystem
9             clock daemon
10            security/authorization messages
11            FTP daemon
12            NTP subsystem
13            log audit
14            log alert
15            clock daemon
16            local use 0  (local0)
17            local use 1  (local1)
18            local use 2  (local2)
19            local use 3  (local3)
20            local use 4  (local4)
21            local use 5  (local5)
22            local use 6  (local6)
23            local use 7  (local7)

The list of severity Levels:
0       Emergency: system is unusable
1       Alert: action must be taken immediately
2       Critical: critical conditions
3       Error: error conditions
4       Warning: warning conditions
5       Notice: normal but significant condition
6       Informational: informational messages
7       Debug: debug-level messages
based on RFC

For websense, you should be able to customize as well taking example of one of the websense solution RiskVision that can configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded. You need to check with the provider for the specific servers.

For window event log, you will need an agent like Snare or Syslog_ng to send the syslog to the SIEMs. the default evt or evtx is not of that syslog  format and SIEMS will not support the windows raw log if it is not in syslog format.

For Splunk to receive the log from other device, it can still work like a syslog server and able to query
Splunk Enterprise can act as a syslog server or a syslog message sender. It should not be substituted for such a server in regular use. This is because Splunk Enterprise modifies syslog data by default as part of the indexing process (it assigns a timestamp and a host to the event.)
.. and can do as SIEMS covering aspects like compliance, application security, fraud detection, IT operations, application management, web intelligence and business analytics.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now