Configuring SIEM integration settings

By default, SIEM integration is not used. You can enable and disable SIEM integration, and configure relevant settings (see the table below).

SIEM integration settings

Setting

Default value

Description

Send events to a remote syslog server via syslog protocol

Not applied

You can enable or disable SIEM integration by selecting or clearing the check box, respectively.

Remove local copies for events that have been sent to a remote syslog server

Not applied

You can configure the settings for storing local copies of logs after they are sent to the SIEM server by selecting or clearing the check box.

Events format

Structured data

You can select one of two formats to which the application converts its events prior to sending them to the syslog server for better recognition of these events by the SIEM server.

Connection protocol

TCP

You can use the drop-down list to configure the connection to the main and mirror syslog servers via the UDP or TCP protocols.

Main syslog server connection settings

IP address: 127.0.0.1

Port: 514

You can use the appropriate fields to configure the IP address and port used to connect to the main syslog server.

You can specify the IP address only in IPv4 format.

Use mirror syslog server if the main server is not accessible

Not applied

You can use the check box to enable or disable the use of a mirror syslog server.

Mirror syslog server connection settings

IP address: 127.0.0.1

Port: 514

You can use the appropriate fields to configure the IP address and port used to connect to the mirror syslog server.

You can specify the IP address only in IPv4 format.

To configure SIEM integration settings:

  1. In the Application Console tree, open the context menu of the Logs and notifications node.
  2. Select Properties.

    The Logs and notifications settings window opens.

  3. Select the SIEM integration tab.
  4. In the Integration settings section, select the Send events to a remote syslog server via syslog protocol check box.
  5. If necessary, in the Integration settings section, select the Remove local copies for events that have been sent to a remote syslog server check box.

    The status of the Remove local copies for events that have been sent to a remote syslog server check box does not affect the settings for storing events of the security log: the application never automatically deletes security log events.

  6. In the Events format section, specify the format to which you want to convert application events so that they can be sent to the SIEM server.

    By default, the application converts them into a structured data format.

  7. In the Connection settings section:
    • Specify the SIEM connection protocol.
    • Specify the settings for connecting to the main syslog server.

      You can only specify an IP address in IPv4 format.

    • Select the Use mirror syslog server if the main server is not accessible check box if you want the application to use other connection settings when unable to send events to the main syslog server.

      Specify the following settings for connecting to the mirror syslog server: Address and Port.

      The Address and Port fields for the mirror syslog server cannot be edited if the Use mirror syslog server if the main server is not accessible check box is cleared.

      You can only specify an IP address in IPv4 format.

  8. Click OK.

    The configured SIEM integration settings will be applied.

Page top