Imperva Cyber Community

Expand all | Collapse all

What to set as log forwarding or backup in DAM

  • 1.  What to set as log forwarding or backup in DAM

    Posted 24 days ago
    Hi All,

    I have a query around configuring archive/backup in DAM. In my understanding we just need to backup alerts, warning in DAM and I am configuring log forwarding to capture these alerts warning in our SIEM where this data will be available for 6 months or more. wanted to understand if my approach is correct or do we need to have separate archiving method dedicated for DAM? 

    Thanks in advance!
    #DatabaseActivityMonitoring

    ------------------------------
    [Karl] [barg]
    ------------------------------


  • 2.  RE: What to set as log forwarding or backup in DAM

    Posted 24 days ago
    Hi,

    The best practice is to send all necessary security logs to SIEM. Still, all audit logs from the audit policies should be archiving every day by the native IMPERVA backup mechanism.
    It is the best way because you do not lose your SIEM license for audit logs.

    Have you thought about changing the license to a subscription model? There is JSonar - I think the best DAM tool on the market.
    JSonar is implemented with KIBANA and MongoDB. It is more modern and faster than Imperva DAM. It is possible to send all DB Audit logs from MX to Jsonar as a syslog log.

    ------------------------------
    Karol Gruszczynski
    IT SECURITY EXPERT
    Warsaw
    ------------------------------



  • 3.  RE: What to set as log forwarding or backup in DAM

    Posted 22 days ago
    Thanks Karol,

    May i ask, if these audit logs are specific to Imperva mgmt and gateways or it includes logs for the audit policies configured for database servers?

    Regards

    ------------------------------
    [Karl] [barg]
    ------------------------------



  • 4.  RE: What to set as log forwarding or backup in DAM

    Posted 22 days ago
    Every audit policy that was configured for the database server is archiving separately to file.
    You can copy the backup file via scp/cifs/nfs/ftp manually or automatically after backup is done.
    So, when you create a new audit policy (menu Policies -> Audit) on ARCHIVING tab, you can attach archiving action set.

    System logs from IMPERVA mgmt and gtws you can archive too, but it is another way.

    ------------------------------
    Karol Gruszczynski
    IT SECURITY EXPERT
    Warsaw
    ------------------------------