Configuring publication of application events to a SIEM system

You can configure the publication of events in CEF format to an external SIEM system, as well as save the events locally in log files on the server. If you do not need to save events locally, skip steps 4, 6, 7 of the instructions in this section.

Follow the steps below on each cluster node whose events you want to publish to a SIEM system. Only enable the export of events in CEF format after configuring event publishing.

To configure the publication of application events to a SIEM system:

1. Connect to the management console of the KSMG virtual machine under the root account using a private SSH key. You will enter Technical Support Mode.
2. Create the /etc/rsyslog.d/ksmg-cef-messages.conf file and add the following lines to it:

   $ActionQueueFileName ForwardToSIEM

   $ActionQueueMaxDiskSpace 1g

   $ActionQueueSaveOnShutdown on

   $ActionQueueType LinkedList

   $ActionResumeRetryCount -1

3. If you want to send events to a SIEM system over UDP, add the following line:

   local2.* @<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over UDP>

   If you want to send events over TCP, add the following line:

   local2.* @<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over TCP>

4. If you want to save events locally, add the following line to the file:

   local2.* -/var/log/ksmg-cef-messages

5. Add the following line to the end of the file:

   local2.* stop

   Example configuration file for exporting over UDP without saving to the local log: $ActionQueueFileName ForwardToSIEM2 $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 local2.* @10.16.32.64:514 local2.* stop Example configuration file for exporting over TCP with saving to the local log: $ActionQueueFileName ForwardToSIEM2 $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 local2.* @10.16.32.64:514 local2.* -/var/log/ksmg-cef-messages local2.* stop

6. If you configured copies of events to be saved locally, create the /var/log/ksmg-cef-messages log file and configure its access permissions. To do so, execute the commands:

   touch /var/log/ksmg-cef-messages

   chown root:klusers /var/log/ksmg-cef-messages

   chmod 640 /var/log/ksmg-cef-messages

7. If you configured copies of events to be saved locally, configure the rules for rotation of log files with exported events. To do so, create the /etc/logrotate.d/ksmg-cef-messages file and add the following lines to it:

   /var/log/ksmg-cef-messages

   {

     size 500M

     rotate 10

     compress

     missingok

     notifempty

     sharedscripts

     postrotate

     /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true

     endscript

   }

8. Restart the rsyslog service. To do so, run the following command:

   systemctl restart rsyslog

9. Check the status of the rsyslog service:

   systemctl status rsyslog

   The status must be running.

10. Send a test message to the SIEM system using the following command:

    logger -p local2.info Test message

Publication of application events to the SIEM system is configured.

Page top