Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Archive WAF GW logs to FTP

    Posted 09-20-2022 09:48
    Hello,

    The SecureSphere is in version 13.6 and DAM & WAF can be accessed from the same management.

    I would like to archive logs of the WAF in a FTP Server. It must be used the same FTP as is the DAM. For DAM is configured and we can archive the data in the FTP.

    How can I archive the logs in the FTP for the WAF? 

    Kind Regards,
    Olgerta

    #WAF #On-PremisesWAF(formerlySecuresphere)​​
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Olgerta Prendi
    Cyber Security Specialist
    S&T AG
    Tirana
    ------------------------------


  • 2.  RE: Archive WAF GW logs to FTP

    Posted 09-20-2022 10:35
    Edited by Sarah Lamont 09-20-2022 11:28
    Hi Olgerta,

    Can you please advise us of what logs you would like to archive from the WAF ?

    It sounds like you just need to create an action set like this



    https://docs.imperva.com/bundle/v14.4-waf-management-server-manager-user-guide/page/2399.htm

    Let me know if that solves the issue for you.

    Many thanks,

    Philip

    ------------------------------
    Philip Acton
    ------------------------------



  • 3.  RE: Archive WAF GW logs to FTP

    Posted 09-21-2022 04:54
    Hi Philip,

    The idea is that is done this kind of configuration and the only archived data are for DAM and not for WAF.

    How can I do to extract for both? 

    As i mention below, for WAF we need the alerts to archive.

    Kind Regards,
    Olgerta

    ------------------------------
    Olgerta Prendi
    Cyber Security Specialist
    S&T AG
    Tirana
    ------------------------------



  • 4.  RE: Archive WAF GW logs to FTP

    Posted 09-21-2022 19:07
    In DAM Security Events/Alerts are not archived, in DAM we archive Audit data.

    Assuming the traditional definition of archive - meaning storing data for long term retention. This cannot be achieved on Security events (EventIDs) and as an extension Alerts (which is nothing but similar events aggregated) both WAF and DAM .

    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 5.  RE: Archive WAF GW logs to FTP

    Posted 09-20-2022 11:15
    In addition, to be more clear it means that we would like to save the oldest alerts in the FTP. How can we proceed with this?

    ------------------------------
    Olgerta Prendi
    Cyber Security Specialist
    S&T AG
    Tirana
    ------------------------------



  • 6.  RE: Archive WAF GW logs to FTP

    Posted 09-20-2022 11:49
    Edited by System 09-20-2022 15:30
    Hi,

    Only system events and reports can be archived (visible under Admin > Maintainence).

    If you want to store security events/alerts for historical purpose you can you have multiple options:

    1. Generate a report daily/weekly and have the report sent via FTP to your FTP server.
      1. It is likely you will loose events due to aggregation
      2. If the report size is too big you may loose some data
    2. Setup a syslog server (simple rsyslog server, graylog if you want a GUI to search logs quickly etc)
      1. This wil require setting up appropriate followed actions for all your applied and enabled policies.
      2. You can do this either from MX itself or from GW itself
    3. Lastly since the underlying OS is centOS you can:
      1. Setup a rsyslog config at /etc/rsyslog.d/00-custom-security_events.conf to store logs locally on the MX
      2. setup a script or a automation to send the locally stored logs to your FTP server
      3. you can go one step ahead and use the built in logrotate to compress the older logs thus saving on space and bandwidth and by storing it on a remote mounted storage solution if any present.
      4. I strongly recommend setting an alert to notify you when disk space approaches 80% usage to make sure your MX has enough free space to do other tasks.
        1. either a simple cronjob or any metric integration you have (influx or prometheus).

    If you already have a SIEM in place I strongly recommend second option as you can do more smarts with it.

    ------------------------------
    Sarvesh Lad
    ------------------------------