Configuring publication of application events to a SIEM system

You can configure the publication of events in CEF format to an external SIEM system, and saving the events locally in log files on the server. The event publication configuration procedure for KSMG on Astra Linux Special Edition is different from the procedure for configuring KSMG on other operating systems.

Follow the steps below on each cluster node whose events you want to publish to a SIEM system. Only enable the export of events in CEF format after configuring event publishing.

Configuring the export of application events on Rocky Linux, Ubuntu, Red Hat Enterprise Linux, Debian, and RED OS

Events are sent to an external SIEM system using the rsyslog system logging service. If you do not need to save events locally, skip steps 5, 7, 8 of the instructions in this section.

To configure the publication of application events to a SIEM system:

  1. Start an operating system command shell on the cluster node to run commands with superuser (system administrator) permissions.
  2. Make sure the rsyslog service is installed and running using the command:

    systemctl status rsyslog

    The status of the service must be running.

    If the rsyslog service is not running or is not installed, install and enable the rsyslog service in accordance with the instructions from the documentation for your operating system.

  3. Create the /etc/rsyslog.d/ksmg-cef-messages.conf file and add the following lines to it:

    $ActionQueueFileName ForwardToSIEM

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

  4. If you want to send events to a SIEM system over UDP, add the following line:

    <category (facility) for the CEF format>.* @<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over UDP>

    If you want to send events over TCP, add the following line:

    <category (facility) for the CEF format>.* @@<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over TCP>

  5. If you want to save copies of events locally, add the following line to the same file:

    <facility for the CEF format>.* -/var/log/ksmg-cef-messages

  6. Add the following line to the end of the file:

    <facility for the CEF format>.* stop

    Example configuration file for exporting over UDP without saving to the local log:

    $ActionQueueFileName ForwardToSIEM2

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local2.* @10.16.32.64:514

    local2.* stop

    Example configuration file for exporting over TCP with saving to the local log:

    $ActionQueueFileName ForwardToSIEM2

    $ActionQueueMaxDiskSpace 1g

    $ActionQueueSaveOnShutdown on

    $ActionQueueType LinkedList

    $ActionResumeRetryCount -1

    local2.* @@10.16.32.64:514

    local2.* -/var/log/ksmg-cef-messages

    local2.* stop
  7. If you configured copies of events to be saved locally, create the /var/log/ksmg-cef-messages log file and configure its access permissions. To do so, execute the commands:

    touch /var/log/ksmg-cef-messages

    chown root:klusers /var/log/ksmg-cef-messages

    chmod 640 /var/log/ksmg-cef-messages

  8. If you configured copies of events to be saved locally, configure the rules for rotation of log files with exported events. To do so, create the /etc/logrotate.d/ksmg-cef-messages file and add the following lines to it:

    /var/log/ksmg-cef-messages

    {

      size 500M

      rotate 10

      compress

      missingok

      notifempty

      sharedscripts

      postrotate

        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true

      endscript

    }

  9. Restart the rsyslog service. To do so, run the following command:

    systemctl restart rsyslog

  10. Check the status of the rsyslog service:

    systemctl status rsyslog

    The status must be running.

  11. Send a test message to the SIEM system using the following command:

    logger -p <category (facility) for the CEF format>.info Test message

Publication of application events to the SIEM system is configured.

Configuring application event publishing on Astra Linux Special Edition

Events are sent to an external SIEM system using the syslog-ng system logging service. If you do not need to save events locally, skip steps 5 through 7 of the instructions in this section.

To configure the publication of application events to a SIEM system:

  1. Start an operating system command shell on the cluster node to run commands with superuser (system administrator) permissions.
  2. Make sure the syslog-ng service is installed and running using the command:

    systemctl status syslog-ng

    The status of the service must be running.

    If the syslog-ng service is not running or is not installed, install and enable the syslog-ng service in accordance with the instructions from the documentation for your operating system.

  3. Create the /etc/syslog-ng/conf.d/ksmg-cef-messages.conf file and add the following line to it:

    filter f_ksmgcef { facility(<facility for the CEF format>); };

  4. If you want to send events to a SIEM system over UDP, add the following lines to the file:

    destination d_ksmgcef_forward { network("<IP address of the SIEM system>" transport("udp") port(<port used by the SIEM system to receive messages from Syslog over UDP>)); };

    log { source(s_src); filter(f_ksmgcef); destination(d_ksmgcef_forward); };

    If you want to send events over TCP, add the following lines to the file:

    destination d_ksmgcef_forward { network("<IP address of the SIEM system>" transport("tcp") port(<port used by the SIEM system to receive messages from Syslog over TCP>)); };

    log { source(s_src); filter(f_ksmgcef); destination(d_ksmgcef_forward); };

  5. If you want to save copies of events locally, add the following lines to the same file:

    destination d_ksmgcef_logfile { file("/var/log/ksmg-cef-messages"); };

    log { source(s_src); filter(f_ksmgcef); destination(d_ksmgcef_logfile); };

    Example configuration file for exporting over UDP without saving to the local log:

    filter f_ksmgcef { facility(local2); };

    destination d_ksmgcef_forward { network("10.16.32.64" transport("udp") port(514)); };

    log { source(s_src); filter(f_ksmgcef); destination(d_ksmgcef_forward); };

    Example configuration file for exporting over TCP with saving to the local log:

    filter f_ksmgcef { facility(local2); };

    destination d_ksmgcef_forward { network("10.16.32.64" transport("tcp") port(514)); };

    log { source(s_src); filter(f_ksmgcef); destination(d_ksmgcef_forward); };

    destination d_ksmgcef_logfile { file("/var/log/ksmg-cef-messages"); };

    log { source(s_src); filter(f_ksmgcef); destination(d_ksmgcef_logfile); };

  6. If you configured copies of events to be saved locally, create the /var/log/ksmg-cef-messages log file and configure its access permissions. To do so, execute the commands:

    touch /var/log/ksmg-cef-messages

    chown root:klusers /var/log/ksmg-cef-messages

    chmod 640 /var/log/ksmg-cef-messages

  7. If you configured copies of events to be saved locally, configure the rules for rotation of log files with exported events. To do so, create the /etc/logrotate.d/ksmg-cef-messages file and add the following lines to it:

    /var/log/ksmg-cef-messages

    {

      size 500M

      rotate 10

      compress

      missingok

      notifempty

      sharedscripts

      postrotate

        invoke-rc.d syslog-ng reload > /dev/null

      endscript

    }

  8. Restart the syslog-ng service. To do so, run the following command:

    systemctl restart rsyslog

  9. Check the status of the syslog-ng service:

    systemctl status rsyslog

    The status of the service must be 'running'.

  10. Send a test message to the SIEM system using the following command:

    logger -p <category (facility) for the CEF format>.info Test message

Publication of application events to the SIEM system is configured.

Page top