Forward Deep Security events to an external syslog or SIEM server

This article does not apply if you are using the Deep Security Manager VM for Azure Marketplace. For that version, see Forward events to an external Syslog or SIEM server.

If you want to publish events to Amazon SNS, see Access events with Amazon SNS.

Deep Security records two types of events:

  • System events: Administrative or system-related events such as an administrator logging in or agent software being upgraded. These events are generated by the Deep Security Manager.
  • Security events: Recorded when a protection module rule or condition is triggered. These events are generated by the Deep Security Agent.

You can configure Deep Security to forward both types of events to an external syslog or Security Information and Event Management (SIEM) server. The content and format of the log messages differs slightly depending on whether they are sent by the Deep Security Manager or from an agent computer. For more information on the format, see Syslog message formats

The two different types of events that can be forwarded have to be configured separately:

Deep Security will still record all system and security events and display them in reports and graphs in the Deep Security Manager even if you enable event forwarding to a syslog or SIEM server.

If you are using Splunk as your syslog or SIEM server, consider using the Deep Security app for Splunk, which provides dashboards and saved searches.

Forward system events to a syslog or SIEM server

  1. Go to Administration > System Settings > Event Forwarding.
  2. In the Forward System Events to a remote computer (via Syslog) using configuration list, select an existing syslog configuration or select New and define a new configuration (for details, see Define a syslog configuration.)
  3. Click Save.

Forward security events to a syslog or SIEM server

Security events are generated by the agents for each protection module. You have two options for forwarding these types of events: the agent computers can forward them directly in real time or the Deep Security Manager can collect them on heartbeats and forward them. If you want to use TLS to send secure syslog messages, they must be sent via the Deep Security Manager. Syslog messages sent directly from the agent will use UDP and be sent as clear text.

The best practice is to use a high-level parent policy to propagate configuration settings throughout your environment. Like with other settings in Deep Security, you can override event forwarding settings for specific policies or computers (see Policies, inheritance, and overrides.)

Forward security events directly from agent computers to a syslog or SIEM server

  1. Go to Policies.
  2. Double-click the policy you want to use for computers to forward events directly to a syslog server.
  3. Go to Settings > SIEM.
  4. Under Event Forwarding Frequency (from the Agent/Appliance), specify how often events are sent from the agent or appliance to the syslog or SIEM server.
  5. Under Event Forwarding Configuration (from the Agent/Appliance), specify the syslog configuration to use for each protection module. The options are:
    • Inherited (configuration name): The behavior is being inherited from a parent policy or computer
    • None: Events are not forwarded
    • Syslog configuration name: Events will be forwarded to the specified syslog configuration. To see details about the configuration or edit it, click Edit. The configuration must have Transport set to "UDP" and Agents should forward logs set to "Directly to the Syslog server".
    • New: Enables you to define a new configuration (for details, see Define a syslog configuration.) The configuration must have Transport set to "UDP" and Agents should forward logs set to "Directly to the Syslog server".
  6. Click Save.

Forward security events from the agent computers via the Deep Security Manager

When you choose to forward events via the Deep Security Manager, the manager collects the events at every heartbeat (Settings > General > Heartbeat Interval (in minutes).)

  1. Go to Policies.
  2. Double-click the policy you want to use for computers to forward security events via the Deep Security Manager.
  3. Go to Settings > SIEM.
  4. Under Event Forwarding Configuration (from the Agent/Appliance), specify the syslog configuration to use for each protection module. The options are:
    • Inherited (configuration name): The behavior is being inherited from a parent policy or computer
    • None: Events are not forwarded
    • Syslog configuration name: Events will be forwarded to the specified syslog configuration. To see details about the configuration or edit it, click Edit. The configuration must have Agents should forward logs set to "Via the Deep Security Manager".
    • New: Enables you to define a new configuration (for details, see Define a syslog configuration.) The configuration must have Agents should forward logs set to "Via the Deep Security Manager".
  5. Click Save.

Define a syslog configuration

You can define a syslog configuration and assign it to system events, security events, or both. You can define as many syslog configurations as you need.

To see any existing syslog configurations, go to Policies > Common Objects > Other > Syslog Configurations. From that page, you can add or edit configurations. You can also import and export configurations.

If you configured syslog or SIEM server settings prior to January 26th, 2017, they have been converted to syslog configurations and appear on the Syslog Configurations page. Any identical configurations will be merged together.

To add a new configuration:

  1. Click New > New Configuration.
  2. On the General tab:
    • Name: Meaningful name that identifies the configuration. The name must be unique.
    • Description: Optional description of the configuration
    • Log Source Identifier: When syslog messages are sent to a syslog or SIEM server, they include a reported hostname that identifies the source of the messages. If you leave the Log Source Identifier setting empty and you are running a multi-node Deep Security Manager, each node will send a different hostname as the identifier. If you want to use the same identifier for each manager node (to treat the syslog messages as if they all come from the same source), you can specify a common Log Source Identifier. Note that syslog messages sent directly from the Deep Security Agent to a syslog or SIEM server will use the reported computer hostname and cannot use the Log Source Identifier instead.
    • Server Name: Hostname or IP address to which events should be sent. The syslog or SIEM server and any routers, firewalls, and security groups must allow inbound traffic from the Deep Security Manager for event forwarding to work.

      If you are using Deep Security as a Service, make sure that your syslog or SIEM server is accessible via the internet and that the DNS hostname is resolvable. For more information on which addresses will try to reach your syslog server or SIEM, see Deep Security as a Service IP addresses.

      If you are going to forward events directly from the Deep Security Agent, traffic from the agent must also be allowed.

    • Server Port: UDP or TLS port to which events should be sent. For UDP, this is usually port 514. For TLS, it's usually port 6514. For more information, see Port numbers.
    • Event Format: The format of the log message. For more information on formats, see Syslog message formats

      The LEEF format is only supported for messages sent from the Deep Security Manager.

    • Transport: UDP or TLS. Security events sent directly from the agent must be sent with UDP. System events and security events sent via the manager can be sent via UDP or TLS. If you select UDP, the events will be sent in clear text. If you select TLS, the events are sent securely.
    • Facility: The type of program or process that is logging the message.
    • Agents should forward logs: This setting applies when forwarding security events. You can choose to sent the syslog messages Directly to the Syslog server or Via the Deep Security Manager.
    • When either LEEF or TLS is selected, this option is hard-coded to Via the Deep Security Manager.

  3. If you are using TLS as the transport mechanism, you may need to set up TLS client authentication.Go to the Credentials tab and enter the Private Key, Certificate, and the Certificate Chain (if required) in PEM format. The click Test Connection. The Deep Security Manager will attempt to send three test messages to the syslog or SIEM server.

Troubleshooting

"Failed to Send Syslog Message" alert

If there is a problem with your syslog configuration, you may see this alert:

Failed to Send Syslog Message
The Deep Security Manager was unable to forward messages to a Syslog Server.
Unable to forward messages to a Syslog Server

The alert will also contain a link to the affected syslog configuration. Click the link to open the configuration and then click the Test Connection button to get more troubleshooting information. You will see either an indication that the connection was successful or an error message that provides more detailed information on what's causing the problem.

Can't edit syslog configurations

If you can see the syslog configurations but can't edit them, the role associated with your account might not have the appropriate rights. An administrator who is able to configure roles can check your rights by going to Administration > User Management. Then select your name and click Properties. On the Other Rights tab, the Syslog Configurations setting controls your ability to edit syslog configurations. For more information on users and roles, see Create and manage users.

Syslog not transferred due to an expired certificate

If you set up TLS client authentication and the certificate expires, syslog messages will not be sent to the syslog server. To fix this problem, obtain a new certificate, update the syslog configuration with the new certificate values, test the connection, and then save the configuration.

Syslog not delivered due to an expired or changed server certificate

If the syslog server's certificate has expired or changed, open the syslog configuration and click the Test Connection button. You will be prompted to accept the new certificate.

syslog or SIEM servers used for testing

Deep Security has been tested with the Enterprise version of these products:

  • Splunk 6.5.1
  • IBM QRadar 7.2.8 Patch 3 (with the TLS protocol patch, PROTOCOL-TLSSyslog-7.2-20170104125004.noarch)
  • HP ArcSight 7.2.2 (with a TLS Syslog-NG connector created using the ArcSight-7.2.2.7742.0-Connector tool)