Forward Deep Security events to an external syslog or SIEM server

If you want to publish events to Amazon SNS, see Access events with Amazon SNS.

Deep Security records two types of events:

  • System events: Administrative or system-related events such as an administrator logging in or agent software being upgraded. These events are generated by the Deep Security Manager.
  • Security events: Recorded when a protection module rule or condition is triggered. These events are generated by the Deep Security Agent.

You can configure Deep Security to forward both types of events to an external syslog or Security Information and Event Management (SIEM) server. The content and format of the log messages differs slightly depending on whether they are sent by the Deep Security Manager or from an agent computer. For more information on the format, see Syslog message formats

The two different types of events that can be forwarded have to be configured separately:

Deep Security still records all system and security events and display them in reports and graphs in the Deep Security Manager even if you enable event forwarding to a syslog or SIEM server.
If you are using Splunk as your syslog or SIEM server, consider using the Deep Security app for Splunk, which provides dashboards and saved searches.

Forward system events to a syslog or SIEM server

  1. Go to Administration > System Settings > Event Forwarding.
  2. In the Forward System Events to a remote computer (via Syslog) using configuration list, select an existing syslog configuration or select New and define a new configuration (for details, see Define a syslog configuration.)
  3. Click Save.

Forward security events to a syslog or SIEM server

Security events are generated by the agents for each protection module. You have two options for forwarding these types of events:

If you want to use TLS to send secure syslog messages, they must be sent via the Deep Security Manager. Syslog messages sent directly from the agent use UDP and are sent as clear text.

The best practice is to use a high-level parent policy to propagate configuration settings throughout your environment. Like with other settings in Deep Security, you can override event forwarding settings for specific policies or computers (see Policies, inheritance, and overrides.)

Forward security events directly from agent computers to a syslog or SIEM server

  1. Go to Policies.
  2. Double-click the policy you want to use for computers to forward events directly to a syslog server.
  3. Go to Settings > Event Forwarding.
  4. Under Event Forwarding Frequency (from the Agent/Appliance), specify how often events are sent from the agent or appliance to the syslog or SIEM server.
  5. Under Event Forwarding Configuration (from the Agent/Appliance), specify the syslog configuration to use for each protection module. The options are:
    • Inherited (configuration name): The behavior is being inherited from a parent policy or computer
    • None: Events are not forwarded
    • Syslog configuration name: Events are forwarded to the specified syslog configuration. To see details about the configuration or edit it, click Edit. The configuration must have Transport set to "UDP" and Agents should forward logs set to "Directly to the Syslog server".
    • New: Enables you to define a new configuration (for details, see Define a syslog configuration.) The configuration must have Transport set to "UDP" and Agents should forward logs set to "Directly to the Syslog server".
  6. Click Save.

Forward security events from the agent computers via the Deep Security Manager

When you choose to forward events via the Deep Security Manager, the manager collects the events at every heartbeat (Settings > General > Heartbeat Interval.)

  1. Go to Policies.
  2. Double-click the policy you want to use for computers to forward security events via the Deep Security Manager.
  3. Go to Settings > Event Forwarding.
  4. Under Event Forwarding Configuration (from the Agent/Appliance), specify the syslog configuration to use for each protection module. The options are:
    • Inherited (configuration name): The behavior is being inherited from a parent policy or computer
    • None: Events are not forwarded
    • Syslog configuration name: Events are forwarded to the specified syslog configuration. To see details about the configuration or edit it, click Edit. The configuration must have Agents should forward logs set to "Via the Deep Security Manager".
    • New: Enables you to define a new configuration (for details, see Define a syslog configuration.) The configuration must have Agents should forward logs set to "Via the Deep Security Manager".
  5. Click Save.

Define a syslog configuration

You can define a syslog configuration and assign it to system events, security events, or both. You can define as many syslog configurations as you need.

To see any existing syslog configurations, go to Policies > Common Objects > Other > Syslog Configurations. From that page, you can add or edit configurations. You can also import and export configurations.

If you configured syslog or SIEM server settings prior to January 26th, 2017, they have been converted to syslog configurations and appear on the Syslog Configurations page. Any identical configurations are merged together.

To add a new configuration:

  1. Click New > New Configuration.
  2. On the General tab:
    • Name: Meaningful name that identifies the configuration. The name must be unique.
    • Description: Optional description of the configuration.
    • Log Source Identifier: When syslog messages are sent to a syslog or SIEM server, they include a reported hostname that identifies the source of the messages. If you leave the Log Source Identifier setting empty and you are running a multi-node Deep Security Manager, each node sends a different hostname as the identifier. If you want to use the same identifier for each manager node (to treat the syslog messages as if they all come from the same source), you can specify a common Log Source Identifier. Note that syslog messages sent directly from the Deep Security Agent to a syslog or SIEM server use the reported computer hostname and cannot use the Log Source Identifier instead.
    • Server Name: Hostname or IP address to which events should be sent. The syslog or SIEM server and any routers, firewalls, and security groups must allow inbound traffic from the Deep Security Manager for event forwarding to work.
      If you are going to forward events directly from the Deep Security Agent, traffic from the agent must also be allowed.
    • Server Port: UDP or TLS port to which events should be sent. For UDP, this is usually port 514. For TLS, it's usually port 6514. For more information, see Port numbers, URLs, and IP addresses.
    • Event Format: The format of the log message. For more information on formats, see Syslog message formats
      The LEEF format is only supported for messages sent from the Deep Security Manager. Basic Syslog format is not supported by the anti-malware, web reputation, integrity monitoring, and application control protection modules.
    • Transport: UDP or TLS. Security events sent directly from the agent must be sent with UDP. System events and security events sent via the manager can be sent via UDP or TLS (which is the newer version of SSL). If you select UDP, the events are sent in clear text. If you select TLS, the events are sent encrypted over TLS 1.2, 1.1, or 1.0. (TLS is not supported as a transport mode when operating in FIPS mode. See FIPS 140-2 support.) Syslog messages are limited to 64 KB if they are transferred over UDP. If the message is longer, data may be truncated.
    • Include time zone in events: This option is available when agents forward logs via the Deep Security Manager. It is not available when agents forward events directly to a syslog server. When this option is selected, full date and time zone information is added to the event. Example: 2018-09-14T01:02:17.123+04:00. When it's not selected, only the month, day, and time are added (no time zone or year). Example: Sep 14 01:02:17.
    • Facility: The type of program or process that is logging the message.
    • Agents should forward logs: This setting applies when forwarding security events. You can choose to send the syslog messages Directly to the Syslog server or Via the Deep Security Manager.
    When either LEEF or TLS is selected, this option is hard-coded to Via the Deep Security Manager.
  3. If you selected TLS as the transport mechanism, perform these additional steps:

    • If your syslog or SIEM server is configured to require TLS client authentication, you'll need to provide a TLS certificate for the secure syslog configuration. This certificate will be used for all connections between a Deep Security Manager and the SIEM or syslog server. To provide the certificate, click the Credentials tab and supply the Deep Security Manager certificate's Private Key, Certificate, and Certificate Chain (if required) in PEM format (also known as base64 encoded format). The syslog or SIEM server may or may not accept a self-signed certificate. Consult its documentation for details.

    • Click Test Connection.

    • An Accept Server Certificate? message appears if the syslog or SIEM server certificate is not yet known to Deep Security Manager. The message shows the contents of the certificate. Review it and click OK. The certificate is added to the manager's Deep Security list, under Administration > System Settings > Security. Deep Security Manager accepts self-signed certificates as long as they pass standard validation such as expiry checks.

    • Click Test Connection again to establish a TLS connection using the certificate you just accepted. (See this article on the TLS handshake for details on how the TLS session is established.) You see a pass or fail message at the top of the manager.

Troubleshooting

"Failed to Send Syslog Message" alert

If there is a problem with your syslog configuration, you might see this alert:

Failed to Send Syslog Message
The Deep Security Manager was unable to forward messages to a Syslog Server.
Unable to forward messages to a Syslog Server

The alert also contains a link to the affected syslog configuration. Click the link to open the configuration and then click the Test Connection button to get more troubleshooting information. An indication that the connection was successful or an error message that provides more detailed information on what's causing the problem is displayed.

Can't edit syslog configurations

If you can see the syslog configurations but can't edit them, the role associated with your account might not have the appropriate rights. An administrator who is able to configure roles can check your rights by going to Administration > User Management. Then select your name and click Properties. On the Other Rights tab, the Syslog Configurations setting controls your ability to edit syslog configurations. For more information on users and roles, see Create and manage users.

Can't see the syslog configuration sections of Deep Security Manager

If you can't see the syslog configurations UI in Deep Security Manager, you may be a tenant in a multi-tenant environment where the primary tenant has disabled this feature or configured it for you.

Syslog not transferred due to an expired certificate

If you set up TLS client authentication and the certificate expires, syslog messages are not sent to the syslog server. To fix this problem, obtain a new certificate, update the syslog configuration with the new certificate values, test the connection, and then save the configuration.

Syslog not delivered due to an expired or changed server certificate

If the syslog server's certificate has expired or changed, open the syslog configuration and click the Test Connection button. You are prompted to accept the new certificate.

Syslog or SIEM servers used for testing

Deep Security has been tested with the Enterprise version of these products:

  • Splunk 6.5.1
  • IBM QRadar 7.2.8 Patch 3 (with the TLS protocol patch, PROTOCOL-TLSSyslog-7.2-20170104125004.noarch)
  • HP ArcSight 7.2.2 (with a TLS Syslog-NG connector created using the ArcSight-7.2.2.7742.0-Connector tool)