Configuring the publishing of application events to a SIEM system

Make sure to enable the export of events in CEF format before you proceed with the configuration.

Follow the steps described below on each cluster node for which you want to have events published to a SIEM system.

To configure the publication of application events to a SIEM system:

1. Open the console of the virtual machine or log in remotely over SSH as 'admin' and use the administrator password of the virtual machine configured during the initial configuration of the application.
2. In the Select Action menu, select Technical Support Mode.
3. In the Password field, enter the web interface administrator password and click Ok.
4. In the Technical Support Mode window, click Yes to confirm entering the Technical Support Mode.
5. Specify the address and port for connecting to the server with the SIEM system. To do so, add the following lines to the end of the /etc/rsyslog.conf file:

   $ActionQueueFileName ForwardToSIEM

   $ActionQueueMaxDiskSpace 1g

   $ActionQueueSaveOnShutdown on

   $ActionQueueType LinkedList

   $ActionResumeRetryCount -1

   <facility>.* @@<IP address of the SIEM system>:<port on which the SIEM system receives messages from Syslog over TCP>

   It is recommended to create a backup copy of the /etc/rsyslog.conf file before editing it. A mistake introduced while editing the file can cause the system to malfunction.

6. Restart the rsyslog service. To do that, enter at the command line:

   service rsyslog restart

The publishing of events to a SIEM system is configured.

Page top