Integrating ManageEngine PAM360 with SIEM tools
This document discusses the process of integrating PAM360 with various SIEM tools. At the end of this document, you will have learned the following:
- Key benefits of integration
- How does the integration work?
Steps to integrate a SIEM tool and configure Syslog collection
1. Key Benefits of Integration
PAM360 integrates with SIEM tools that help in gathering and processing audit logs for resources, passwords, and users from PAM360 in real time and send them as Syslogs to external log management systems. Specific events for which notifications are to be raised can be tailored from the Audit tab of PAM360.
The following are the SIEM tools that can be currently integrated with PAM360 to collect syslogs:
- ManageEngine Log360
- Sumo Logic
- Other Syslog Collectors
Apart from the above SIEM tools, you can set up any other log management tool also to collect audit logs. You can have multiple log management tools configured concurrently.
2. How does the Integration Work?
Once the details of the the collector host, such as the host name and port are given and the integration is enabled, an RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol (TCP or UDP). Default facility name will be AUTH, but you can change it to any of the unassigned facility names from the list.
- Splunk: Click here for information on how to view the syslog data sent from PAM360 in Splunk.
- Log360: Once the collector host is added in PAM360, the PAM360 server will be added as a device in Log360 automatically.
- Sumo Logic: Click here to read more about Sumo Logic's collectors.
The format of the Syslog message sent from PAM360 will be as follows:
[LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [RESOURCE_NAME:ACCOUNT_NAME:REASON]
Example: admin:127.0.0.1 Account_Added 2019/09/23 11:39:00 Success pam_test windows-server1:account1:Testing
If the logs are sent from the MSP edition of PAM360, then the format will be as follows:
[LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [ORG_NAME-RESOURCE_NAME:ACCOUNT_NAME:REASON]
Example: admin:127.0.0.1 Account_Added 2019/09/23 11:39:00 Success pam_test MSPOrg-windows-server1:account1:Testing
3. Steps to Integrate a SIEM Tool and Configure Syslog Collection
Follow the below steps to integrate any SIEM tool with PAM360 and configure syslog collection.
- Navigate to Admin >> Integrations >> SIEM Integrations.
- In the page displayed, you will see the SIEM tool blocks with the below options. These options remain the same for any SIEM tool you might want to integrate with PAM360.
- Click Enable under the SIEM tool of your choice. If you don't have any of the listed tools, click Enable under 'Others' and enter the below details:
Buttons and Definitions:
Sl. No: Button Definition
You will see this option if the integration is disabled. Click this button to enter required details of the SIEM tool and enable integration.
You will see this option if the integration is enabled. Click this button to update the SIEM tool details, such as the collector name, port, protocol and facility name.
You will see this option if the integration is enabled. Click this button to disable the integration.
- Collector Name
- Protocol (UDP/TCP)
- Facility Name (AUTH is selected by default)
- Click Enable. Now the integration with PAM360 and the SIEM tool of your choice is complete.
3.1 Customizing the Syslog Event Notifications in PAM360
After enabling the integration and configuring the settings, you can customize the events for which you wish to generate the syslog messages.
- Password-oriented: To generate password-related syslog messages, navigate to Groups >> Actions (of desired group) >> Configure Notifications, and select Send as a Syslog message for the required password-oriented options.
- Operation-oriented: You can generate syslog messages regarding the account operations inside PAM360. This can be done for both resource audit and user audit. To configure for resource audit, navigate to Audit >> Resource Audit >> Audit Actions >> Configure Resource Audit. Similarly, to configure for user audit, navigate to Audit >> User Audit >> Audit Actions >> Configure User Audit. The Generate Syslog option will be selected for all the operations already. Uncheck the operations which don't need to be recorded.