Hi Agustin,
It is a strange case that the settings presently configured work for System Events, but not for Security Events or Violations.
Please check Action Interface Types and Action Set Event Types (https://docs.imperva.com/bundle/v14.19-dam-user-guide/page/2403.htm) that you used.
For example, Action Set Event Type = System Events and Action Interface Type = Log System Event to System Log (syslog) using the CEF standard. Similarly, Action Set Event Type = All - Security Violations and Action Interface Type = Log to System Log (Syslog). For both cases, kindly use appropriate CEF Message Format.
Regards,
------------------------------
SBISOC 4430
Manager
Mumbai
------------------------------
Original Message:
Sent: 04-30-2025 03:23
From: Agustin Cudiamat
Subject: Splunk server not receiving any events for audit and security from the DAM gateway
Hi Guys,
I have configured the action set for my Security, Audit and system events to forward the events to my splunk vip.
Action Sets Settings:
Protocol: TCP
Primary host: x.x.x.x
Primary port: 514
Syslog Log level: INFO
I have set the followed action on Security and system policies towards to the following action set as well and Audit policies under external logger towards to the action set.
The only event i received is my system events from the DAM gateway. Only Security and Audit events are not showing in my splunk server.
DAM MX and GW is on version 14.16.1.10_0
Anybody have an idea on this or do i need to check my configuration further in mx side or splunk side?
#DAM
#AllImperva
#databaseactivity
#Datasecurity
#DatabaseActivityMonitoring
------------------------------
Agustin Cudiamat
Engineer
Singapore
------------------------------