Table of contents

Forward Workload Security events to a Syslog or SIEM server

You can send events to an external Syslog or Security Information and Event Management (SIEM) server. This can be useful for centralized monitoring and custom reporting.

Alternatively, if you want to publish events to Amazon SNS, see Access events with Amazon SNS.

Basic steps include the following:

  1. Allow event-forwarding network traffic
  2. Define a Syslog configuration
  3. Forward system events or Forward security events

Allow event-forwarding network traffic

All routers, firewalls, and security groups must allow inbound traffic from Workload Security (and, for direct forwarding of security events, inbound traffic from agents) to your Syslog server. For additional information, see Port numbers.

Your Syslog server must be accessible via the Internet and its domain name must be globally DNS-resolvable. For additional information, see Workload Security IPs.

Define a Syslog configuration

Syslog configurations define the destination and settings that can be used when forwarding system or security events. Note that if you configured SIEM or Syslog settings before January 26th, 2017, they have been converted to Syslog configurations; identical configurations were merged.

  1. Go to Policies > Common Objects > Other > Syslog Configurations.

  2. Click New > New Configuration > General and specify the following:
    • Name: Unique name that identifies the configuration.
    • Description: Optional description of the configuration.
    • Log Source Identifier: Optional identifier to use instead of the Workload Security hostname.
      Workload Security is multi-node and each server node has a different hostname. Log source IDs can therefore be different. If you need the IDs to be the same regardless of hostname (for example, for filtering purposes), you can configure their shared log source ID here.
      This setting does not apply to events sent directly by the agent, which always uses its hostname as the log source ID.
    • Server Name: Hostname or IP address of the receiving Syslog or SIEM server.
    • Server Port: Listening port number on the SIEM or Syslog server. For UDP, the IANA standard port number is 514. For TLS, it's usually port 6514. See also Port numbers.
    • Transport: Whether the transport protocol is secure (TLS) or not (UDP).
      With UDP, Syslog messages are limited to 64 KB. If the message is longer, data may be truncated.
      With TLS, the manager and Syslog server must trust each other's certificates. The connection from the manager to the Syslog server is encrypted with TLS 1.2, 1.1, or 1.0.
      TLS requires that you set Agents should forward logs to Via the Workload Security Manager (indirectly). Agents do not support forwarding with TLS.
    • Event Format: Whether the log message's format is LEEF, CEF, or basic Syslog. See Syslog message formats.
      LEEF format requires that you set Agents should forward logs to Via the Workload Security Manager (indirectly).
      Basic Syslog format is not supported by the Anti-Malware, Web Reputation, Integrity Monitoring, and Application Control modules.
    • Include time zone in events: Whether or not to add the year and time zone to the event date.
      Example (selected): 2018-09-14T01:02:17.123+04:00.
      Example (deselected): Sep 14 01:02:17.
      Full dates require that you set Agents should forward logs to Via the Workload Security Manager (indirectly).
    • Facility: Type of process with which events will be associated. Syslog servers may prioritize or filter based upon a log message's facility field. See also What are Syslog Facilities and Levels?
    • Agents should forward logs: Whether to send events Directly to the Syslog server or Via the Workload Security Manager (indirectly).
      When forwarding logs directly to the Syslog server, agents use clear text UDP. Logs contain sensitive information about your security system. If logs use an untrusted network such as the Internet, consider adding a VPN tunnel or similar to prevent reconnaissance and tampering.
      • If you forward logs via Workload Security, they do not include Firewall and Intrusion Prevention packet data.
      • Mac agent only supports forwarding logs via Workload Security Manager. If you select Directly to the Syslog server, the logs do not include Device Control data.

  3. If the Syslog or SIEM server requires TLS clients to do client authentication (also called bilateral or mutual authentication), then under Credentials, configure the following:
    • Private Key: Paste the private key of the Workload Security client certificate.
    • Certificate: Paste the client certificate that Workload Security will use to identify itself in TLS connections to the Syslog server. Use PEM, also known as Base64-encoded format.
    • Certificate Chain: If an intermediate CA signed the client certificate, but the Syslog server does not know and trust that CA, then paste CA certificates which prove a relationship to a trusted root CA. Press Enter between each CA certificate.
  4. Click Apply.

  5. If you select the TLS transport mechanism, verify that both Workload Security and the Syslog server can connect and trust each other's certificates:
    1. Click Test Connection.
      Workload Security tries to resolve the hostname and connect. If that fails, an error message appears. If the Syslog or SIEM server certificate is not yet trusted by Workload Security, the connection fails and an Accept Server Certificate? message should appear. The message shows the contents of the Syslog server's certificate.
    2. Verify that the Syslog server's certificate is correct.
    3. Click OK to accept the certificate. The certificate appears in the manager's list of trusted certificates on Administration > System Settings > Security.
      Workload Security can accept self-signed certificates.
    4. Click Test Connection again.
      Expect the TLS connection to succeed.
  6. Continue by selecting which events to forward. See Forward system events or Forward security events.

Forward system events

Workload Security generates system events such as administrator logins or upgrading agent software.

  1. Go to Administration > System Settings > Event Forwarding.

  2. From Forward System Events to a remote computer (via Syslog) using configuration, either select an existing configuration or select New. For details, see Define a Syslog configuration.

  3. Click Save.

Forward security events

The agent protection generates security events such as detecting malware or triggering an IPS rule. You can forward events either directly or indirectly via Workload Security which some event forwarding options require. Similarly to other policy settings, you can override event forwarding settings for specific policies or computers. See Policies, inheritance, and overrides.

  1. Go to Policies.

  2. Double-click the policy used by the computers.

  3. Go to Settings > Event Forwarding.

  4. Under Event Forwarding Frequency (from the Agent/Appliance), use Period between sending of events to select how often the security events are to be forwarded. This setting relates to the log aggregation time for IPS and firewall and depends on the Advanced Logging Policy settings.

  5. Under Event Forwarding Configuration (from the Agent/Appliance), use Anti-Malware Syslog Configuration and other protection modules' lists to select one of the following:

    • An existing Syslog configuration, which you can modify by clicking Edit.
    • None to disable the Syslog configuration.
    • New to create a new Syslog configuration. For details, see Define a Syslog configuration.
  6. Click Save.

Troubleshoot event forwarding

Failed to Send Syslog Message alert

If there is a problem with your Syslog configuration, you might see the following alert:

Failed to Send Syslog Message  
The Workload Security Manager was unable to forward messages to a Syslog Server.  
Unable to forward messages to a Syslog Server

The alert also contains a link to the affected Syslog configuration. Click the link to open the configuration, and then click Test Connection to get more diagnostic information. It either indicates that the connection was successful, or displays an error message with more details about the cause.

Cannot edit Syslog configurations

If you can see the Syslog configurations but cannot edit them, the role associated with your account might not have the appropriate rights. An administrator who is able to configure roles can check your permissions by navigating to Administration > User Management. Then select your name and click Properties. On the Other Rights tab, the Syslog Configurations setting controls your ability to edit Syslog configurations. For more information on users and roles, see Create and manage users.

Syslog not transferred due to an expired certificate

Valid certificates are required to connect securely via TLS. If you set up TLS client authentication and the certificate expires, messages are not sent to the Syslog server. To fix this problem, get a new certificate, update the Syslog configuration with the new certificate values, test the connection, and then save the configuration.

Syslog not delivered due to an expired or changed server certificate

Valid certificates are required to connect securely via TLS. If the Syslog server's certificate has expired or changed, open the Syslog configuration and click Test Connection. You are prompted to accept the new certificate.

Syslog configuration produced an invalid private key

If you encounter an Invalid Private Key error in Client Credentials for TLS, it is most likely the result of the Syslog configuration producing the private key value in the RSA PRIVATE KEY (PKCS1) format instead of the required PRIVATE KEY (PKCS8).

To convert a PKCS1 key to PKCS8, execute the following command:

openssl pkcs8 -topk8 -nocrypt -in privkey.pem

Use the private key generated by the preceding command.

Compatibility

Workload Security has been tested with the enterprise versions of the following:

  • Splunk 6.5.1
  • IBM QRadar 7.2.8 Patch 3 (with the TLS protocol patch, PROTOCOL-TLSSyslog-7.2-20170104125004.noarch)
  • HP ArcSight 7.2.2 (with a TLS Syslog-NG connector created using the ArcSight-7.2.2.7742.0-Connector tool)

Other standard Syslog software might work, but has not been verified.

If you are using Splunk, you can use the Deep Security app for Splunk to get dashboards and saved searches.