Deep Security 10.1 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.
Forward events to an external Syslog or SIEM server
Deep Security records two types of events:
- System events: Administrative or system-related events such as an administrator logging in or agent software being upgraded. These events are generated by the Deep Security Manager.
- Security events: Recorded when a protection module rule or condition is triggered. These events are generated by the Deep Security Agent.
You can configure Deep Security to forward both types of events to an external syslog or Security Information and Event Management (SIEM) server. All events are forwarded in clear text and the content and format of the log messages differs slightly depending on if they are sent by the Deep Security Manager or by an agent computer. For more information on the format, see Syslog message formats.
The two different types of events that can be forwarded have to be configured separately:
- Forward system events to a syslog or SIEM server.
- Forward security events to a syslog or SIEM server.
Forward system events to a syslog or SIEM server
System events are events that are generated by the Deep Security Manager and displayed on the Events & Reports page. These events are not sent to the agents. You can configure the Deep Security Manager to forward these events to a syslog or SIEM server.
- Go to Administration > System Settings > Event Forwarding.
- Select Forward System Events to a remote computer (via Syslog) in the SIEM section.
-
Specify the following information and then click Save:
Setting Notes Hostname or IP address to which events should be sent The syslog or SIEM server and any routers, firewalls, and security groups must allow inbound connections from the Deep Security Manager for event forwarding to work.
UDP port to which events should be sent This is usually port 514.
For more information, see Port numbers.
Syslog Facility The type of program or process that is logging the message. Syslog Format The format of the log message. For more information on formats, see Syslog message formats.
Basic Syslog format is not supported by the anti-malware, web reputation, integrity monitoring, and application control protection modules.
Forward security events to a syslog or SIEM server
Security events are events that are generated by the agents for each module. You have two options for forwarding these types of events:
- Forward security events directly in real time from agent computers to a syslog or SIEM server
- Forward security events from the agent computers via the Deep Security Manager
The best practice is to use a high-level parent policy to propagate configuration settings throughout your environment but like with other settings in Deep Security you can override event forwarding settings for specific policies or computers. To override these inherited settings on a computer, find the computer you want to configure, open the Computer, go to Settings, and click the SIEM tab. To instruct this computer to ignore any inherited settings, select Forward Events To and enter the details for a different syslog or SIEM server or select Do Not Forward Events to not forward logs at all. Follow the same procedure to override these settings on a policy.
Forward security events directly in real time from agent computers to a syslog or SIEM server
- Go to Policies.
- Double-click the policy you want to use for computers to forward events directly to a syslog server.
- Go to Settings > SIEM and select Forward Events To > Direct Forward for each applicable protection module.
- Specify the following information that is required for forwarding events directly from the agent computers and then click Save:
| Setting | Notes |
|---|---|
| Hostname or IP address to which events should be sent |
The syslog or SIEM server and any routers, firewalls, and security groups must allow inbound connections from the IP addresses of your agents for event forwarding to work. This can be an internal SIEM if your computers are able to route messages there. |
| UDP port to which events should be sent |
This is usually port 514. For more information, see Port numbers. |
| Syslog Facility | The type of program or process that is logging the message. |
| Syslog Format |
The format of the log message. For more information on formats, see Syslog message formats The LEEF format is only supported for messages sent from the Deep Security Manager. Basic Syslog format is not supported by the anti-malware, web reputation, integrity monitoring, and application control protection modules. |
Forward security events from the agent computers via the Deep Security Manager
- Go to Policies.
- Double-click the policy you want to use for computers to forward security events via the Deep Security Manager.
- Go to Settings > SIEM and select Forward Events To > Relay via the Manager for each applicable protection module.
- Specify the following information that is required for relaying events via the Deep Security Manager and then click Save:
| Setting | Notes |
|---|---|
| Hostname or IP address to which events should be sent |
The syslog or SIEM server and any routers, firewalls, and security groups must allow inbound connections from the Deep Security Manager for event forwarding to work. |
| UDP port to which events should be sent |
This is usually port 514. For more information, see Port numbers. |
| Syslog Facility | The type of program or process that is logging the message. |
| Syslog Format |
The format of the log message. For more information on formats, see Syslog message formats The LEEF format is only supported for messages sent from the Deep Security Manager. Basic Syslog format is not supported by the anti-malware, web reputation, integrity monitoring, and application control protection modules. |
The Deep Security Manager will collect the security events from the agents on heartbeats and then send them to the syslog or SIEM server configured here: Administration > System Settings > Event Forwarding.
