Skip to main content
Skip table of contents

Defining SIEM Integration


Ekran System supports integration with various SIEM systems using SysLog (over TCP/IP), and CEF or LEEF log files, and covers virtually all the different systems, including Elasticsearch and Kerberos deployments. All events are sent from the Application Server.

In this way, Ekran System can be used as a data source provider to track different events, such as alerts triggered, monitored session data, and events occurring in the Management Tool (such as someone created a new user).

By integration with a SIEM system, many potential security breaches can be caught (e.g. if a user is logged in to four different servers at the same time, it could be a potentially compromised account).

NOTE: This feature is only available with an activated serial key for the Enterprise Edition of Ekran System.


This advanced SIEM Integration functionality provides the capability to create a separate log file on the Ekran System Application Server machine and forward the log file to a SIEM system, as well as to define the format of the log file and the data to be written to it. It is also possible to send the data over the network without log file creation.

The log file can be created and forwarded to a SIEM system in one of the following formats:

• Common Event Format (CEF)

• Log Event Extended Format (LEEF)

Both these formats can be viewed and analyzed by Splunk, ArcSight or IBM QRadar monitoring software.

NOTE: The log records that are forwarded are not encrypted unless the TLS encryption option is used (see below).


Depending on the Log Format Settings specified, different types of monitoring data can be written to the log file and can be forwarded to the SIEM system.

CEF Header Information

LEEF Header Information

Log Data

Client records

Device Event Class ID=100

Name=EkranClientEvent

cat=ClientEvents

eventId=100

Cat=ClientEvents

Windows Client events: user name (along with the secondary user name), Client name, activity time, activity title, application name, URL, keystrokes, alert/USB rule, Session Player URL, OS, domain name, IPv4, IPv6, remote IP.

Linux Client events: user name, Client name, activity time, command, function, parameters, alert, Session Player URL, OS, IPv4, IPv6.

Alert events

Device Event Class ID=200

Name=EkranAlertEvent

cat=AlertEvents

eventId=200

Cat=AlertEvents

Windows Client alert events: alert ID, alert name, alert description, user name (along with the secondary user name), Client name, activity time, activity title, application name, URL, keystrokes, Session Player URL, OS, domain name, IPv4, IPv6, remote IP.

Linux Client alert events: alert ID, alert name, alert description, user name, Client name, activity time, command, function, parameters, Session Player URL, OS, IPv4, IPv6.

Audit log events

Device Event Class ID = 300

Name=EkranMTLogEvent

cat=MTLogEvents

eventId=300

Cat=MTLogEvents

sev=10

Audit log entry ID, time, Ekran System user name, user groups, category, action, object, details.

Client going offline/online events

Name=EkranClientEvent

cat=ClientEvents

Cat=ClientEvents

sev=1

Windows/macOS/Linux Client going offline events for CEF: Client name, OS, IPv4, IPv6, domain name (or hostname), status (Offline).

Windows/macOS/Linux Client coming online events for CEF: Client name, OS, status (Online).

Windows/macOS/Linux Client going offline events for LEEF: Client name, IPv4 (or IPv6 if IPv4 is not available), status (Offline).

Windows/macOS/Linux Client coming online events for LEEF: Client name, status (Online).


To define the log settings, click the Configuration (

) button (at the top of the Management Tool), and on the Configuration page that opens, select the SIEM Integration tab.

The log settings can be edited by users with the administrative Database Management permission.


The following settings can be defined in the corresponding sections:

1. NOT AVAILABLE IN SAAS  Log File Settings

In this section, you can enable log file creation and define the parameters for the cleanup operation (the log file will be created on the Ekran System Application Server machine, and by default have the name EventLog and be stored in the Application Server installation folder):

• Create a log file: You can select this checkbox to enable log file creation.

NOTE: When using High Availability mode, the "Create a log file" option is disabled, in which case you can instead send the logs directly to the SIEM system.

• Log file location: In this field, you can define the location where the log files will be stored.

• Cleanup daily at: This option allows you to define the time to execute the cleanup operation on a daily basis.

• Cleanup every: This option allows you to define the frequency of the cleanup operation.

• Maximum file size (GB): This option allows you to define the maximum size of the log file.

NOTE: During any Cleanup operation, the current log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder. So as not to run out of space on the Application Server computer where the log files are stored, it is recommended to regularly check the disk space used and delete log files which are no longer required.

NOTE: The options in the Log File Settings section are not available in High Availability mode.

2. Log Forwarding Settings

In this section, you can enable the forwarding of log records, and define the SIEM system that the log records will be sent to:

• Send log to SIEM system: You can select this checkbox to enable log file forwarding.

• Network IP address: This option allows you to enter the IP address of the SIEM system.

• Port: This option allows you to enter the port number of the SIEM system.

• Test Connection: This button allows you to send a test log record to the SIEM system defined to check if all connection settings are correctly defined.

Use TLS: This checkbox allows you to use an encrypted TLS connection to forward the log records to the SIEM system securely, by uploading a server certificate for validation of the TLS connection. Please refer to the article on how to create a self-signed SSL certificate.

3. Log Format Settings

In this section, you can define the format of the log file to be saved on the Ekran System Server computer and forwarded to the SIEM system.

• Log format: This option allows you to select the log file format (CEF or LEEF).

• Date format: This option allows you to define the date format for the log file.

4. Log File Contents

In this section, you can define the data to be written to the log file and forwarded to the SIEM system:

• Windows and Linux Client records: Select this checkbox to allow the adding of all the session records from Windows and Linux Clients to the log file.

• Alert events: Select this checkbox to allow the adding of all the alerts triggered on Windows and Linux Clients to the log file.

• Audit log events: Select this checkbox to allow the adding of all the Audit log records to the log file.

• Client going offline/online events: Select this checkbox to allow the adding of all events whenever any Client goes offline or comes online to the log file.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.