Imperva Cyber Community

Expand all | Collapse all

How to forward Securesphere security audit logs to syslog?

  • 1.  How to forward Securesphere security audit logs to syslog?

    Posted 02-23-2020 03:18
    How to forward Imperva Securesphere security audit logs to syslog and what are its implications? I'm currently running on v11.5.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Pratik Wagle
    ------------------------------


  • 2.  RE: How to forward Securesphere security audit logs to syslog?

    Impervian
    Posted 02-24-2020 03:51
    Hello,

    I am not familiar with version 11.5, but I believe is the same procedure as higher versions. You should create an Action Set and enable it as followed action to the audit policy needed. Below are explained Action Sets and Followed Actions. https://docs.imperva.com/bundle/v13.5-web-application-firewall-user-guide/page/2399.htm
    When you create the Action Set make sure to select the "Audit" event type.
    As for implications, try to enable it in light audit policies because too many events can overwhelm your syslog server.


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 3.  RE: How to forward Securesphere security audit logs to syslog?

    Posted 02-26-2020 05:00
      |   view attached
    Hello,

    Thanks for your insights on the matter. When I create a new Action Set though, I can't see the "Audit" option.

    Action_Set


    ------------------------------
    Pratik Wagle
    NTT Netmagic
    ------------------------------



  • 4.  RE: How to forward Securesphere security audit logs to syslog?

    Imperva Employee
    Posted 30 days ago
    Hi Pratik,

    Enter a name for the action set, such as "To SIEM".

    For Apply to event type, select Security Violations - All.

    From the list of Available Action Interfaces, look for Server System Log > Log security event to System Log (syslog) using the CEF standard and click the blue arrow to move the entry up into the Selected Actions field.

    Pay close attention to the wording as there are several entries that look similar.
    SecureSphere - Action Interfaces
                                                                                   Figure 1

    In Figure 2 below, enter a name in the Name field. (such as To SIEM)

    Enter the syslog host in the Syslog Host field.

    Place a check in the box for Run on Every Event and click Save at the top right,
    Imperva SecureSphere - Configuring an Action Set
                                                                                                                        Figure 2

    The action set is now available for use, however, the existing policies must be configured to leverage the action set.

    Access Main > Policies > Security

    You will now see 6 pages of policies by default.

    For each policy violation that you would like to be sent to the SIEM, right click that entry and select Set Followed Action.

    SecureSphere - Followed Action                               Figure 3


    Select To SIEM and click Save.

    SecureSphere - Followed Action                                            Figure 4


    ~ PRO TIP ~
    Multiple policies can be selected at once by holding down the shift key while right clicking

    This allows the followed action to be set on multiple policies at once.

    Additionally, by modifying your default profile values, all policies can be displayed on a single page instead of 6.

    Access the silhouette at the top right and click user details.

    SecureSphere - User Details            Figure 5

    Click Preferences.
    SecureSphere - User Preferences                    Figure 6

    Change the Number of Rows in Each Table Page to 300 and click Save at the top right.

    SecureSphere - Preferences                                             Figure 7



    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------