Imperva Cyber Community

Hello,

The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

How can I archive the logs in the FTP for the WAF? 

Kind Regards,
Olgerta

#WAF #On-PremisesWAF(formerlySecuresphere)​​
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

Hi Olgerta,

Can you please advise us of what logs you would like to archive from the WAF ?

It sounds like you just need to create an action set like this



https://docs.imperva.com/bundle/v14.4-waf-management-server-manager-user-guide/page/2399.htm

Let me know if that solves the issue for you.

Many thanks,

Philip

------------------------------
Philip Acton
------------------------------

Original Message:
Sent: 09-20-2022 09:47
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

Hello,

The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

How can I archive the logs in the FTP for the WAF? 

Kind Regards,
Olgerta

#WAF #On-PremisesWAF(formerlySecuresphere)​​
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

Hi Philip,

The idea is that is done this kind of configuration and the only archived data are for DAM and not for WAF.

How can I do to extract for both? 

As i mention below, for WAF we need the alerts to archive.

Kind Regards,
Olgerta

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

Original Message:
Sent: 09-20-2022 10:30
From: Philip Acton
Subject: Archive WAF GW logs to FTP

Hi Olgerta,

Can you please advise us of what logs you would like to archive from the WAF ?

It sounds like you just need to create an action set like this



https://docs.imperva.com/bundle/v14.4-waf-management-server-manager-user-guide/page/2399.htm

Let me know if that solves the issue for you.

Many thanks,

Philip

------------------------------
Philip Acton

Original Message:
Sent: 09-20-2022 09:47
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

Hello,

The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

How can I archive the logs in the FTP for the WAF? 

Kind Regards,
Olgerta

#WAF #On-PremisesWAF(formerlySecuresphere)​​
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

In DAM Security Events/Alerts are not archived, in DAM we archive Audit data.

Assuming the traditional definition of archive - meaning storing data for long term retention. This cannot be achieved on Security events (EventIDs) and as an extension Alerts (which is nothing but similar events aggregated) both WAF and DAM .

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 09-21-2022 04:54
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

Hi Philip,

The idea is that is done this kind of configuration and the only archived data are for DAM and not for WAF.

How can I do to extract for both? 

As i mention below, for WAF we need the alerts to archive.

Kind Regards,
Olgerta

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana

Original Message:
Sent: 09-20-2022 10:30
From: Philip Acton
Subject: Archive WAF GW logs to FTP

Hi Olgerta,

Can you please advise us of what logs you would like to archive from the WAF ?

It sounds like you just need to create an action set like this



https://docs.imperva.com/bundle/v14.4-waf-management-server-manager-user-guide/page/2399.htm

Let me know if that solves the issue for you.

Many thanks,

Philip

------------------------------
Philip Acton

Original Message:
Sent: 09-20-2022 09:47
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

Hello,

The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

How can I archive the logs in the FTP for the WAF? 

Kind Regards,
Olgerta

#WAF #On-PremisesWAF(formerlySecuresphere)​​
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

In addition, to be more clear it means that we would like to save the oldest alerts in the FTP. How can we proceed with this?

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

Original Message:
Sent: 09-20-2022 09:47
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

Hello,

The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

How can I archive the logs in the FTP for the WAF? 

Kind Regards,
Olgerta

#WAF #On-PremisesWAF(formerlySecuresphere)​​
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------

Hi,

Only system events and reports can be archived (visible under Admin > Maintainence).

If you want to store security events/alerts for historical purpose you can you have multiple options:

1. Generate a report daily/weekly and have the report sent via FTP to your FTP server.
   1. It is likely you will loose events due to aggregation
   2. If the report size is too big you may loose some data
2. Setup a syslog server (simple rsyslog server, graylog if you want a GUI to search logs quickly etc)
   1. This wil require setting up appropriate followed actions for all your applied and enabled policies.
   2. You can do this either from MX itself or from GW itself
3. Lastly since the underlying OS is centOS you can:
   1. Setup a rsyslog config at /etc/rsyslog.d/00-custom-security_events.conf to store logs locally on the MX
   2. setup a script or a automation to send the locally stored logs to your FTP server
   3. you can go one step ahead and use the built in logrotate to compress the older logs thus saving on space and bandwidth and by storing it on a remote mounted storage solution if any present.
   4. I strongly recommend setting an alert to notify you when disk space approaches 80% usage to make sure your MX has enough free space to do other tasks.
      
      1. either a simple cronjob or any metric integration you have (influx or prometheus).

If you already have a SIEM in place I strongly recommend second option as you can do more smarts with it.

------------------------------
Sarvesh Lad
------------------------------

Original Message:
Sent: 09-20-2022 11:15
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

In addition, to be more clear it means that we would like to save the oldest alerts in the FTP. How can we proceed with this?

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana

Original Message:
Sent: 09-20-2022 09:47
From: Olgerta Prendi
Subject: Archive WAF GW logs to FTP

Hello,

The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

How can I archive the logs in the FTP for the WAF? 

Kind Regards,
Olgerta

#WAF #On-PremisesWAF(formerlySecuresphere)​​
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Olgerta Prendi
Cyber Security Specialist
S&T AG
Tirana
------------------------------