![]() ![]() ![]() |
'SIEM Integration' option allows you to forward data from ADAuditPlus to an external SIEM product or to a Syslog Server in real time.
You can choose to forward
Syslog is the event logging service in unix systems.You may also use this setting to forward to your SIEM's UDP or TCP Receiver.
Configuring a Syslog Server:
Steps to enable Syslog Logging in ADAuditPlus:
Configuring Splunk Http Event Collector:
Steps to enable Splunk forwarding in ADAuditPlus:
Steps to enable ArcSight forwarding in ADAuditPlus:
ArcSight CEF Key Mappings
CEF Key
|
ADAuditPlus Column
|
---|---|
cat |
ADAuditPlus Category |
cn1 |
Event Number |
cn2 |
Record Number |
cn3 |
Unique ID |
cs1 |
ADAuditPlus Report Profile Name |
cs4 |
ADAuditPlus Alert Profile Name |
cs3 |
Event Source |
cs5 |
Severity |
rt |
Event Time |
type |
Event Type |
reason |
Event Remarks |
outcome |
Event Outcome |
msg |
ADAuditPlus Message String |
fileName |
File Name |
fileLocation |
File Location |
suser |
User Name / Caller User Name |
suid |
User SID / Caller User Name |
sntdom |
Domain Name / Caller Domain Name |
shost |
User Machine / Caller Machine Name |
cs2 |
User Machine IP Address |
duser |
Target User Name |
duid |
Target User SID |
The forwarded ADAudit Plus events can be searched, grouped into reports and categorized as needed in your SIEM product.
![]() ![]() ![]() |