Configuring SIEM integration settings
By default, SIEM integration is not used. You can enable and disable SIEM integration, and configure relevant settings (see the table below).
SIEM integration settings
Setting | Default value | Description |
Send events to a remote syslog server via syslog protocol | Not applied | You can enable or disable SIEM integration by selecting or clearing the check box, respectively. |
Remove local copies for events that have been sent to a remote syslog server | Not applied | You can configure the settings for storing local copies of logs after they are sent to the SIEM server by selecting or clearing the check box. |
Events format | Structured data | You can select one of two formats to which the application converts its events prior to sending them to the syslog server for better recognition of these events by the SIEM server. |
Connection protocol | TCP | You can use the drop-down list to configure the connection to the main and mirror syslog servers via the UDP or TCP protocols. |
Main syslog server connection settings | IP address: 127.0.0.1 Port: 514 | You can use the appropriate fields to configure the IP address and port used to connect to the main syslog server. You can specify the IP address only in IPv4 format. |
Use mirror syslog server if the main server is not accessible | Not applied | You can use the check box to enable or disable the use of a mirror syslog server. |
Mirror syslog server connection settings | IP address: 127.0.0.1 Port: 514 | You can use the appropriate fields to configure the IP address and port used to connect to the mirror syslog server. You can specify the IP address only in IPv4 format. |
To configure the settings for integration with SIEM:
- In the Application Console tree, open the context menu of the Logs and notifications node.
- Select Properties.
The Logs and notifications settings window opens.
- Select the SIEM integration tab.
- In the Integration settings block, select the Send events to a remote syslog server via syslog protocol check box.
- If necessary, in the Integration settings block, select the Remove local copies for events that have been sent to a remote syslog server check box.
The status of the Remove local copies for events that have been sent to a remote syslog server check box does not affect the settings for storing events of the security log: the application never automatically deletes security log events.
- In the Events format block, specify the format to which you want to convert application events so that they can be sent to the SIEM server.
By default, the application converts them into a structured data format.
- In the Connection settings block:
- Specify the SIEM connection protocol.
- In the fields of the same name, specify the IPv4 address and port for connecting to the main syslog server.
- Select the Use mirror syslog server if the main server is not accessible check box if you want the application to use other connection settings when unable to send events to the main syslog server.
- In the fields of the same name, specify the IPv4 address and port for connecting to an additional syslog server.
- Click the OK button.
The configured SIEM integration settings will be applied.
