Configuring export of PT NAD events to KUMA

Configuring the export of events from PT NAD 11 to KUMA over Syslog involves the following steps:

Configuring the ptdpi-worker@notifier module.
Configuring the sending of syslog messages with information about activities, attacks and indicators of compromise.

Configuring the ptdpi-worker@notifier module.

To enable the sending of information about detected information security threats, you must configure the ptdpi-worker@notifier module.

In a multi-server configuration, these instructions must be followed on the primary server.

To configure the ptdpi-worker@notifier module:

Open the /opt/ptsecurity/etc/ptdpi.settings.yaml file:
sudo nano /opt/ptsecurity/etc/ptdpi.settings.yaml
In the General settings group of settings, uncomment the 'workers' setting and add 'notifier' to its list of values.
For example:

workers: ad alert dns es hosts notifier
To the end of the file, append a line of the form: notifier.yaml.nad_web_url: <URL of the PT NAD web interface>
For example:

notifier.yaml.nad_web_url: https://ptnad.example.com

The ptdpi-worker@notifier module uses the specified URL to generate links to session and activity cards when sending messages.
Restart the sensor:
sudo ptdpictl restart-all

The ptdpi-worker@notifier module is configured.

Configuring the sending of syslog messages with information about activities, attacks and indicators of compromise

The settings listed in the following instructions may not be present in the configuration file. If a setting is missing, you must add it to the file.

In a multi-server PT NAD configuration, edit the settings on the primary server.

To configure the sending of syslog messages with information about activities, attacks and indicators of compromise:

Open the /opt/ptsecurity/etc/ptdpi.settings.yaml file:
sudo nano /opt/ptsecurity/etc/ptdpi.settings.yaml
By default, PT NAD sends activity information in Russian. To receive information in English, change the value of the notifier.yaml.syslog_notifier.locale setting to "en".
For example:

notifier.yaml.syslog_notifier.locale: en
In the notifier.yaml.syslog_notifier.addresses setting, add a section with settings for sending events to KUMA.
The <Connection name> setting can only contain Latin letters, numerals, and the underscore character.

For the 'address' setting, specify the IP address of the KUMA collector.

Other settings can be omitted, in which case the default values are used.

notifier.yaml.syslog_notifier.addresses:

<Connection name>:

address: <For sending to a remote server, specify protocol: UDP (default) or TCP, address and port; for local connection, specify Unix domain socket>

doc_types: [<Comma-separated message types ('alert' for information about attacks, 'detection' for activities, and 'reputation' for information about indicators of compromise). By default, all types of messages are sent>]

facility: <Numeric value of the subject category>

ident: <software tag>

<Connection name>:

...

The following is a sample configuration of sending syslog messages with information about activities, attacks, and indicators of compromise to two remote servers via TCP and UDP without writing to the local log:

notifier.yaml.syslog_notifier.addresses:

remote1:

address: tcp://198.51.100.1:1514

remote2:

address: udp://198.51.100.2:2514
Save your changes in the /opt/ptsecurity/etc/ptdpi.settings.yaml.
Restart the ptdpi-worker@notifier module:
sudo ptdpictl restart-worker notifier

The sending of events to KUMA via Syslog is configured.

Page top