Imperva Cyber Community

 View Only
  • 1.  Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 27 days ago

    https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm

    I want to send all system events to two syslog host. How to set it ?
    #DatabaseActivityMonitoring
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Wenlong Wang
    Technical Director
    Beijing China
    ------------------------------


  • 2.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 27 days ago
    Hi Wenlong,

    You can add a second syslog destination by adding a second action interface. Here is an example:



    ------------------------------
    Mark Barros
    Product Support Engineer - On Prem
    Tel Aviv CA
    ------------------------------



  • 3.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 27 days ago
    The "Action Sets" need to define the system events type policy in "Policies > System Events".
    This is cumbersome when I need to send all types of system events.

    The "SecureSphere Audit" can directly send all system events without defining the system event types.

    ------------------------------
    Wenlong Wang
    Technical Director
    Beijing China
    ------------------------------



  • 4.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 23 days ago
    Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.

    You have a few options but this would be mostly out of scope from Imperva Support perspective:
    1. Have syslog server forward logs to the syslog server
    2. Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:

    #UDP forward example
    local3.info @SYSLOG_HOST_1
    local3.info @SYSLOG_HOST_2
    # TCP FORWARD example
    # local4.info @@SYSLOG_HOST_1
    & stop

    ​Make sure that you don't use the default local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.

    Restart the rsyslog server with systemctl restart rsyslog

    Note: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks

    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 5.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 23 days ago
    Does setting rsyslog affect some functions of SecureSphere itself?

    ------------------------------
    Wenlong Wang
    Technical Director
    Beijing China
    ------------------------------



  • 6.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 23 days ago
    Not the ones you create under /etc/rsyslog.d/. The main config file will import any *.conf file inside the /etc/rsyslog.d/ directory. Of course if there are conflicts in config (eg: opening a UDP listener on same port across multiple config) it will cause issue.

    There is a main config at /etc/rsyslogd.conf which is in use by the securesphere component to send messages to /var/log/messages. Do not modify or touch that.


    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------



  • 7.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 23 days ago
    Thanks for your answer, I will test it later.

    ------------------------------
    Wenlong Wang
    Technical Director
    Beijing China
    ------------------------------



  • 8.  RE: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?

    Posted 19 days ago
    If you are on version 14.x and the logs aren't showing up you may need to add syslog to the built-in firewalld,


    firewall-cmd --zone=imperva --add-service=syslog --permanent
    firewall-cmd --reload


    As mentioned before, please check it again after upgrades as it may not survive an upgrade/patch.

    ------------------------------
    Sarvesh Lad
    Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
    ------------------------------