Integrating ManageEngine PAM360 with SIEM tools

This document discusses the process of integrating PAM360 with various SIEM tools. At the end of this document, you will have learned the following: 

  1. Key Benefits of Integration
  2. How does the Integration Work?

    2.1 Format of the Syslog Messages Sent from PAM360

  3. Steps to Integrate a SIEM Tool and Configure Syslog Collection

    3.1 Customizing the Syslog Event Notifications in PAM360

1. Key Benefits of Integration

PAM360 integrates with SIEM tools that help in gathering and processing audit logs for resources, passwords, and users from PAM360 in real time and send them as Syslogs to external log management systems. Specific events for which notifications are to be raised can be tailored from the Audit tab of PAM360.

The following are the SIEM tools that can be currently integrated with PAM360 to collect syslogs:

  1. Splunk
  2. ManageEngine EventLog Analyzer
  3. Sumo Logic
  4. Other Syslog Collectors

Apart from the above SIEM tools, you can set up any other log management tool also to collect audit logs. You can have multiple log management tools configured concurrently.

2. How does the Integration Work?

Once the details of the the collector host, such as the host name and port are given and the integration is enabled, an RFC-3164 compliant Syslog message will be generated and sent to the configured host and port, using the chosen protocol (TCP or UDP). Default facility name will be AUTH, but you can change it to any of the unassigned facility names from the list.

  1. Splunk: Click here for information on how to view the syslog data sent from PAM360 in Splunk.
  2. ManageEngine EventLog Analyzer: Once the collector host is added in PAM360, the PAM360 server will be added as a device in EventLog Analyzer automatically.
  3. Sumo Logic: Click here to read more about Sumo Logic's collectors.

2.1 Format of the Syslog Messages Sent from PAM360

PAM360 uses different Syslog message formats for Resource Audit and User Audit. The RFC-3164 compliant Syslog message indicates the type of audit event at the start of the message, followed by the username and IP address from which the operation was performed. The message typically includes details such as the type of operation, the timestamp, and status. It also displays the name of the PAM360 server where the operation was carried out, along with the resource & account name details. A notable difference between the Syslog messages for MSP and Non-MSP is that the MSP format includes the ORG_NAME in the message.

i. Syslog Format for MSP

Resource Audit

[ResourceAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [ORG_NAME-RESOURCE_NAME:ACCOUNT_NAME:REASON]

User Audit

[UserAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [ORG_NAME-LOGGED_IN_USERNAME:REASON]

ii. Syslog Format for Non-MSP

Resource Audit

[ResourceAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [RESOURCE_NAME:ACCOUNT_NAME:REASON]

User Audit

[UserAudit:LOGGED_IN_USERNAME:IPADDRESS] [OPERATION_TYPE] [OPERATED_TIME] [STATUS_OF_OPERATION] [PAM360_SERVER_NAME] [LOGGED_IN_USERNAME:REASON]

3. Steps to Integrate a SIEM Tool and Configure Syslog Collection

Follow the below steps to integrate any SIEM tool with PAM360 and configure syslog collection.

  1. Navigate to Admin >> Integrations >> SIEM Integrations.
  2. In the page displayed, you will see the SIEM tool blocks with the below options. These options remain the same for any SIEM tool you might want to integrate with PAM360.
  3. SIEM integration

    Buttons and Definitions:

    Sl. No: Button Definition

    1

    Enable


    You will see this option if the integration is disabled. Click this button to enter required details of the SIEM tool and enable integration.

    2

    Edit


    You will see this option if the integration is enabled. Click this button to update the SIEM tool details, such as the collector name, port, protocol and facility name.

    3

    Disable



    You will see this option if the integration is enabled. Click this button to disable the integration.
  4. Click Enable under the SIEM tool of your choice. If you don't have any of the listed tools, click Enable under 'Others' and enter the below details:
    1. Collector Name
    2. Port
    3. Protocol (UDP/TCP)
    4. Facility Name (AUTH is selected by default)

      SIEM integration

  5. Click Enable. Now the integration with PAM360 and the SIEM tool of your choice is complete.

3.1 Customizing the Syslog Event Notifications in PAM360

After enabling the integration and configuring the settings, you can customize the events for which you wish to generate the syslog messages.  

  1. Password-oriented: To generate password-related syslog messages, navigate to Groups >> Actions (of desired group) >> Configure Notifications, and select Send as a Syslog message for the required password-oriented options.

    SIEM integration

  2. Operation-oriented: You can generate syslog messages regarding the account operations inside PAM360. This can be done for both resource audit and user audit. To configure for resource audit, navigate to Audit >> Resource Audit >> Audit Actions >> Configure Resource Audit. Similarly, to configure for user audit, navigate to Audit >> User Audit >> Audit Actions >> Configure User Audit. The Generate Syslog option will be selected for all the operations already. Uncheck the operations which don't need to be recorded.

    generate syslog option

Top