Log Inspection settings

The Log Inspection module identifies security events contained in a computer's log files. Suspicious events can be forwarded to a SIEM system or centralized logging server for eventual correlation, reporting and archiving. It functions by implementing the open-source software available at OSSEC.net.

The Log Inspection section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:

General

Log Inspection

You can configure this Policy or Computer to inherit its Log Inspection On/Off state from its parent Policy or you can lock the setting locally.

Assigned Log Inspection Rules

Displays the Log Inspection Rules that are in effect for this Policy or computer. To add or remove Log Inspection Rules, click Assign/Unassign. This will display a window showing all available Log Inspection Rules from which you can select or deselect Rules.

From a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). window, you can edit a Log Inspection Rule so that your changes apply only locally in the context of your editor, or you can edit the Rule so that the changes apply globally to all other Policies and Computers that are using the Rule.

To edit the Rule locally, select the Rule and click Properties () or right-click the Rule and click Properties.

To edit the Rule globally, right-click the Rule and click Properties (Global).

Recommendations

Displays when the last Recommendation Scan occurred and number of recommended Log Inspection Rules.

Advanced

Severity Clipping

Send Agent/Appliance events to syslog when they equal or exceed the following severity level: Log Inspection Rules have a severity level. This setting determines which Events triggered by those rules get sent to the syslog server (if syslog is enabled.) (To enable syslog, go to Administration > System Settings > SIEM .)

Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level: This setting determines which Log Inspection Events are kept in the database and displayed in the Log Inspection Events page.

Events

Log Inspection Events are displayed the same way as they are in the main Deep Security Manager window except that only Events relating to this Policy or specific computer are displayed.