Imperva Cyber Community

https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:



------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA
------------------------------

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

You have a few options but this would be mostly out of scope from Imperva Support perspective:

1. Have syslog server forward logs to the syslog server
2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop

​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

Restart the rsyslog server with systemctl restart rsyslog

Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Does setting rsyslog affect some functions of SecureSphere itself?

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Original Message:
Sent: 11-14-2022 11:26
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

You have a few options but this would be mostly out of scope from Imperva Support perspective:

1. Have syslog server forward logs to the syslog server
2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop

​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

Restart the rsyslog server with systemctl restart rsyslog

Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Not the ones you create under /etc/rsyslog.d/. The main config file will import any *.conf file inside the /etc/rsyslog.d/ directory. Of course if there are conflicts in config (eg: opening a UDP listener on same port across multiple config) it will cause issue.

There is a main config at /etc/rsyslogd.conf which is in use by the securesphere component to send messages to /var/log/messages. Do not modify or touch that.


------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 11-14-2022 11:57
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Does setting rsyslog affect some functions of SecureSphere itself?

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-14-2022 11:26
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

You have a few options but this would be mostly out of scope from Imperva Support perspective:

1. Have syslog server forward logs to the syslog server
2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop

​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

Restart the rsyslog server with systemctl restart rsyslog

Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Thanks for your answer, I will test it later.

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Original Message:
Sent: 11-14-2022 12:17
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Not the ones you create under /etc/rsyslog.d/. The main config file will import any *.conf file inside the /etc/rsyslog.d/ directory. Of course if there are conflicts in config (eg: opening a UDP listener on same port across multiple config) it will cause issue.

There is a main config at /etc/rsyslogd.conf which is in use by the securesphere component to send messages to /var/log/messages. Do not modify or touch that.


------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-14-2022 11:57
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Does setting rsyslog affect some functions of SecureSphere itself?

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-14-2022 11:26
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

You have a few options but this would be mostly out of scope from Imperva Support perspective:

1. Have syslog server forward logs to the syslog server
2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop

​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

Restart the rsyslog server with systemctl restart rsyslog

Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

If you are on version 14.x and the logs aren't showing up you may need to add syslog to the built-in firewalld,

firewall-cmd --zone=imperva --add-service=syslog --permanent
firewall-cmd --reload

As mentioned before, please check it again after upgrades as it may not survive an upgrade/patch.

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------

Original Message:
Sent: 11-14-2022 22:22
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Thanks for your answer, I will test it later.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-14-2022 12:17
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Not the ones you create under /etc/rsyslog.d/. The main config file will import any *.conf file inside the /etc/rsyslog.d/ directory. Of course if there are conflicts in config (eg: opening a UDP listener on same port across multiple config) it will cause issue.

There is a main config at /etc/rsyslogd.conf which is in use by the securesphere component to send messages to /var/log/messages. Do not modify or touch that.


------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-14-2022 11:57
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Does setting rsyslog affect some functions of SecureSphere itself?

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-14-2022 11:26
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

You have a few options but this would be mostly out of scope from Imperva Support perspective:

1. Have syslog server forward logs to the syslog server
2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop

​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

Restart the rsyslog server with systemctl restart rsyslog

Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

I have tested it and it works fine.
Thanks.

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------

Original Message:
Sent: 11-14-2022 11:26
From: Sarvesh Lad
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

You have a few options but this would be mostly out of scope from Imperva Support perspective:

1. Have syslog server forward logs to the syslog server
2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop

​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

Restart the rsyslog server with systemctl restart rsyslog

Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)

Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.

The "SecureSphere Audit" can directly send all system events without defining the system event types.

------------------------------
Wenlong Wang
Technical Director
Beijing China

Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

Hi Wenlong,

You can add a second syslog destination by adding a second action interface. Here is an example:

------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA

Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?


https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------