Integrating ManageEngine PAM360 with SIEM tools
This document discusses the process of integrating PAM360 with various SIEM tools. At the end of this document, you will have learned the following:
- Key Benefits of Integration
- How does the Integration Work?
- Steps to Integrate a SIEM Tool and Configure Syslog Collection
1. Key Benefits of Integration
PAM360 integrates with SIEM tools that help in gathering and processing audit logs for resources, passwords, and users from PAM360 in real time and send them as Syslogs to external log management systems. Specific events for which notifications are to be raised can be tailored from the Audit tab of PAM360.
The following are the SIEM tools that can be currently integrated with PAM360 to collect syslogs:
Once the details of the the collector host, such as the host name and port are given and the integration is enabled, an RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol (TCP or UDP). Default facility name will be AUTH, but you can change it to any of the unassigned facility names from the list.
- Splunk: Click here for information on how to view the syslog data sent from PAM360 in Splunk.
- ManageEngine EventLog Analyzer: Once the collector host is added in PAM360, the PAM360 server will be added as a device in EventLog Analyzer automatically.
- Sumo Logic: Click here to read more about Sumo Logic's collectors.
2.1 Format of the Syslog Messages Sent from PAM360
PAM360 uses different Syslog message formats for Resource Audit and User Audit. The RFC-3164 compliant Syslog message indicates the type of audit event at the start of the message, followed by the username and IP address from which the operation was performed. The message typically includes details such as the type of operation, the timestamp, and status. It also displays the name of the PAM360 server where the operation was carried out, along with the resource & account name details. A notable difference between the Syslog messages for MSP and Non-MSP is that the MSP format includes the ORG_NAME in the message.
i. Syslog Format for MSP
[ResourceAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [ORG_NAME-RESOURCE_NAME:ACCOUNT_NAME:REASON]
[UserAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [ORG_NAME-LOGGED_IN_USERNAME:REASON]
[ResourceAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [RESOURCE_NAME:ACCOUNT_NAME:REASON]
[UserAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [LOGGED_IN_USERNAME:REASON]
3. Steps to Integrate a SIEM Tool and Configure Syslog Collection
Follow the below steps to integrate any SIEM tool with PAM360 and configure syslog collection.
- Navigate to Admin >> Integrations >> SIEM Integrations.
- In the page displayed, you will see the SIEM tool blocks with the below options. These options remain the same for any SIEM tool you might want to integrate with PAM360.
- Click Enable under the SIEM tool of your choice. If you don't have any of the listed tools, click Enable under 'Others' and enter the below details:
- Click Enable. Now the integration with PAM360 and the SIEM tool of your choice is complete.
Buttons and Definitions:
Sl. No: Button Definition
You will see this option if the integration is disabled. Click this button to enter required details of the SIEM tool and enable integration.
You will see this option if the integration is enabled. Click this button to update the SIEM tool details, such as the collector name, port, protocol and facility name.
You will see this option if the integration is enabled. Click this button to disable the integration.
3.1 Customizing the Syslog Event Notifications in PAM360
After enabling the integration and configuring the settings, you can customize the events for which you wish to generate the syslog messages.
- Password-oriented: To generate password-related syslog messages, navigate to Groups >> Actions (of desired group) >> Configure Notifications, and select Send as a Syslog message for the required password-oriented options.
- Operation-oriented: You can generate syslog messages regarding the account operations inside PAM360. This can be done for both resource audit and user audit. To configure for resource audit, navigate to Audit >> Resource Audit >> Audit Actions >> Configure Resource Audit. Similarly, to configure for user audit, navigate to Audit >> User Audit >> Audit Actions >> Configure User Audit. The Generate Syslog option will be selected for all the operations already. Uncheck the operations which don't need to be recorded.