Help Document

Introduction

Getting started

Pre-logging setup

Logging setup

Product features

Admin settings

Log forwarder configuration

The SIEM integration option allows you to forward log data from Cloud Security Plus to an external SIEM product or to a Syslog server in real time.

Forwarding collected logs to a Syslog server

Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP receiver.

Configuring a Syslog Server

Syslog daemon runs by default in UDP, port 514.

The default settings can be modified in its configuration file/etc/syslog.conf. Restart Syslog daemon for the changes to take effect.

Steps to enable log forwarding to Syslog server in Cloud Security Plus

  1. Navigate to Settings → Configuration → Log Forwarder Configuration → Syslog.
  2. Enter the profile name and Syslog server name. Ensure that the Syslog server is reachable from the Cloud Security Plus server.
  3. Enter the Syslog port number and choose the protocol.
  4. Choose Syslog standard and data format as required by your SIEM Parser.
  5. Choose the data sources
  6. Click Save.

Forwarding collected logs to an external SIEM product : Splunk HTTP

Configuring Splunk HTTP event collector

  1. Navigate to Settings → Data Inputs → Http Event Collector → Global Settings.
  2. Note: The Http port number and SSL settings can be customized in the Global Settings page.
  3. Enable All tokens. Restart your Splunk server.
  4. Click New Token in the Http Event Collector page, provide a name for the token(Preferably Cloud Security Plus) and leave the rest to the default values(Customize if required).
  5. Save the configuration and a token value will be generated. This token needs to be provided in the Cloud Security Plus configuration.

Steps to enable log forwarding to Splunk in Cloud Security Plus

  1. Navigate to Settings → Configuration → Log Forwarder Configuration → Splunk.
  2. Enter the profile name and Splunk server name. Ensure that the Splunk server is reachable from the Cloud Security Plus server.
  3. Enter the Splunk port number and enable/disable SSL.
  4. Enter the authentication token in the given field.
  5. Choose the data sources.
  6. Click Save.