Imperva Cyber Community

 View Only
  • 1.  How to forward Securesphere security audit logs to syslog?

    Posted 02-23-2020 03:18
    How to forward Imperva Securesphere security audit logs to syslog and what are its implications? I'm currently running on v11.5.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Pratik Wagle
    ------------------------------


  • 2.  RE: How to forward Securesphere security audit logs to syslog?

    Posted 02-24-2020 03:51
    Hello,

    I am not familiar with version 11.5, but I believe is the same procedure as higher versions. You should create an Action Set and enable it as followed action to the audit policy needed. Below are explained Action Sets and Followed Actions. https://docs.imperva.com/bundle/v13.5-web-application-firewall-user-guide/page/2399.htm
    When you create the Action Set make sure to select the "Audit" event type.
    As for implications, try to enable it in light audit policies because too many events can overwhelm your syslog server.


    ------------------------------
    Sabajete Elezaj
    SNT Albania
    ------------------------------



  • 3.  RE: How to forward Securesphere security audit logs to syslog?

    Posted 02-26-2020 05:00
      |   view attached
    Hello,

    Thanks for your insights on the matter. When I create a new Action Set though, I can't see the "Audit" option.



    ------------------------------
    Pratik Wagle
    NTT Netmagic
    ------------------------------



  • 4.  RE: How to forward Securesphere security audit logs to syslog?
    Best Answer

    Posted 02-26-2020 20:21
    Hi Pratik,

    Enter a name for the action set, such as "To SIEM".

    For Apply to event type, select Security Violations - All.

    From the list of Available Action Interfaces, look for Server System Log > Log security event to System Log (syslog) using the CEF standard and click the blue arrow to move the entry up into the Selected Actions field.

    Pay close attention to the wording as there are several entries that look similar.
                                                                                   Figure 1

    In Figure 2 below, enter a name in the Name field. (such as To SIEM)

    Enter the syslog host in the Syslog Host field.

    Place a check in the box for Run on Every Event and click Save at the top right,
                                                                                                                        Figure 2

    The action set is now available for use, however, the existing policies must be configured to leverage the action set.

    Access Main > Policies > Security

    You will now see 6 pages of policies by default.

    For each policy violation that you would like to be sent to the SIEM, right click that entry and select Set Followed Action.

                                   Figure 3


    Select To SIEM and click Save.

                                                Figure 4


    ~ PRO TIP ~
    Multiple policies can be selected at once by holding down the shift key while right clicking

    This allows the followed action to be set on multiple policies at once.

    Additionally, by modifying your default profile values, all policies can be displayed on a single page instead of 6.

    Access the silhouette at the top right and click user details.

                Figure 5

    Click Preferences.
                        Figure 6

    Change the Number of Rows in Each Table Page to 300 and click Save at the top right.

                                                 Figure 7



    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------