Forward events to an external Syslog or SIEM server

Does not apply to Deep Security as a Service

If you are using Deep Security as a Service, see Forward Deep Security as a Service events to an external syslog or SIEM server.

Deep Security records two types of events:

  • System events: Administrative or system-related events such as an administrator logging in or agent software being upgraded. These events are generated by the Deep Security Manager.
  • Security events: Recorded when a protection module rule or condition is triggered. These events are generated by the Deep Security Agent.

You can configure Deep Security to forward both types of events to an external syslog or Security Information and Event Management (SIEM) server. All events are forwarded in cleartext and the content and format of the log messages differs slightly depending on if they are sent by the Deep Security Manager or by an agent computer. For more information on the format, see What's in a syslog message?

The two different types of events that can be forwarded have to be configured separately:

Deep Security will still record all system and security events and display them in reports and graphs in the Deep Security Manager if you enable event forwarding to a syslog/SIEM server.

If you are using Splunk as your syslog/SIEM server, consider using the Deep Security app for Splunk, which provides dashboards and saved searches.

Forward system events to a syslog/SIEM server

System events are events that are generated by the Deep Security Manager and displayed on the Events & Reports page. These events are not sent to the agents. You can configure the Deep Security Manager to forward these events to a syslog/SIEM server.

  1. Go to Administration > System Settings > Event Forwarding.
  2. Select Forward System Events to a remote computer (via Syslog) in the SIEM section.
  3. Specify the following information and then click Save:

    Setting Notes
    Hostname or IP address to which events should be sent

    The syslog/SIEM server and any routers, firewalls, and security groups must allow inbound connections from the Deep Security Manager for event forwarding to work.

    Note: If you are using Deep Security as a Service, make sure that your syslog/SIEM server is accessible via the internet and that the DNS hostname is resolvable. For more information, see Deep Security Agent ports (with Deep Security as a Service).

    UDP port to which events should be sent

    This is usually port 514.

    For more information, see Port numbers.

    Syslog Facility The type of program or process that is logging the message.
    Syslog Format The format of the log message. For more information on formats, see What's in a syslog message?

If you are using Deep Security AMI from AWS Marketplace, you also have to add the IP address of the Deep Security Manager to the /etc/hosts file to ensure that events will be forwarded correctly to the syslog/SIEM server. For example, if the IP address of the Deep Security Manager is 10.100.20.150, you have to add the following entry to the /etc/hosts file:
10.100.20.150 ip-10-100-20-150

Forward security events to a syslog/SIEM server

Security events are events that are generated by the agents for each module. You have two options for forwarding these types of events: they can be forwarded directly in real time by the agent computers or they can be forwarded by the Deep Security Manager after they collect them on heartbeats:

The best practice is to use a high-level parent policy to propagate configuration settings throughout your environment but like with other settings in Deep Security you can override event forwarding settings for specific policies or computers. To override these inherited settings on a computer, find the computer you want to configure, open the Computer, go to Settings, and click the SIEM tab. To instruct this computer to ignore any inherited settings, select Forward Events To and enter the details for a different syslog/SIEM server or select Do Not Forward Events to not forward logs at all. Follow the same procedure to override these settings on a policy.

Forward security events directly in real time from agent computers to a syslog/SIEM server

  1. Go to Policies.
  2. Double-click the policy you want to use for computers to forward events directly to a syslog server.
  3. Go to Settings > SIEM and select Forward Events To > Direct Forward for each applicable protection module.
  4. Specify the following information that is required for forwarding events directly from the agent computers and then click Save:
  5. Setting Notes
    Hostname or IP address to which events should be sent

    The syslog/SIEM server and any routers, firewalls, and security groups must allow inbound connections from the IP addresses of your agents for event forwarding to work.

    This can be an internal SIEM if your computers are able to route messages there.

    UDP port to which events should be sent

    This is usually port 514.

    For more information, see Port numbers.

    Syslog Facility The type of program or process that is logging the message.
    Syslog Format

    The format of the log message. For more information on formats, see What's in a syslog message?

    The LEEF format is only supported for messages sent from the Deep Security Manager.

Forward security events from the agent computers via the Deep Security Manager

  1. Go to Policies.
  2. Double-click the policy you want to use for computers to forward security events via the Deep Security Manager.
  3. Go to Settings > SIEM and select Forward Events To > Relay via the Manager for each applicable protection module.
  4. Specify the following information that is required for relaying events via the Deep Security Manager and then click Save:
  5. Setting Notes
    Hostname or IP address to which events should be sent

    The syslog/SIEM server and any routers, firewalls, and security groups must allow inbound connections from the Deep Security Manager for event forwarding to work.

    Note: If you are using Deep Security as a Service, make sure that your syslog/SIEM server is accessible via the internet and that the DNS hostname is resolvable. For more information, see Deep Security Agent ports (with Deep Security as a Service).

    UDP port to which events should be sent

    This is usually port 514.

    For more information, see Port numbers.

    Syslog Facility The type of program or process that is logging the message.
    Syslog Format

    The format of the log message. For more information on formats, see What's in a syslog message?

    The LEEF format is only supported for messages sent from the Deep Security Manager.

    The Deep Security Manager will collect the security events from the agents on heartbeats and then send them to the syslog/SIEM server configured here: Administration > System Settings > Event Forwarding.