- 16 Oct 2020
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
Syslog Reporting Splunk
- Updated on 16 Oct 2020
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
Setup for SIEM integration such as Splunk
SecureCircle will output detailed server and usage logs to any SIEM or Syslog aggregator. This document will give examples on how to setup SecureCircle with Splunk, however, these general steps can be applied to any SIEM.
Configuring Splunk Source Type
Note: See the table below the screen shots for SIEM settings.
First, create a new Source Type which will define the data properly. If the Source Type is not configured properly, users will not be able to parse and search data correctly.
- Click Settings and select Source Types (under Data) from the top navigation bar.
- Select New Source Type from the right-hand menu. In the example below, the Source Type was given the name ‘syslog_json’
{height="" width=""}
Settings
Ensure the SIEM settings are configured as described.
Description | Syslog RFC3164 with JSON message body |
---|---|
maxDist | 3 |
Lookahead | 32 |
MAX_TIMESTAMP_LOOKAHEAD | 32 |
Timestamp format | %b %d %H:%M:%S |
TIME_FORMAT | %b %d %H:%M:%S |
Extraction | Advanced |
Category | Application |
Time Zone | Auto |
Event Breaks | Every Line |
SHOULD_LINEMERGE | False |
Indexed Extractions | None |
SEDCMD-Stripheader | s/^[^{]+// |
REPORT-syslog | Syslog-extractions |
TRANSFORMS | syslog-host |
NO_BINARY_CHECK | True |
Pulldown_type | true |
Charset | UTF-8 |
Timestamp | |
Timestamp prefix |
Next, configure the Data input. Click on Settings > Data inputs.
Configure Splunk to listen on a specific port.
- Select the Local Input Type (UDP or TCP). This assumes the SecureCircle server and Splunk server are local to each other on the network. Other options are available when data needs to be forwarded. Click New.
- Configure the listen port and provide a name to reference the source (optional). Click Next.
- Select the Source Type name which was created in the previous step. Set Host to IP. Set Index to default. Click Save.
SecureCircle should be sending data to SIEM and the data should be parsed similar to the example below. If the data is not parsed correctly, please confirm your Source Type configuration.
Configuring SecureCircle output
In the SecureCircle admin UI, go to the Integrations > SIEM menu on the left navigation bar. For new integrations, click Add Server.
- Complete the configuration information including the hostname, port, and transport method. Click Add.
- All logs from SecureCircle will be directed to the SIEM.
Modify the configuration at any time by selecting the Integration by clicking the appropriate checkbox and click Actions > Modify Server.