Defining SIEM Integration


Ekran System supports integration with various systems using SysLog (over TCP/IP), and CEF or LEEF log files, and covers virtually all different systems, including Elasticsearch and Kerberos deployments. All events are sent from the Application Server.

In this way, Ekran System can be used as a data source provider to track different events, such as alerts triggered, monitored session data, and events occurring in the Management Tool (such as for someone created a new user).

By integration with a SIEM system, many potential security breaches can be caught (e.g. if a user logged in to four different servers at the same time, it could be a potentially compromised account).

NOTE: Advanced SIEM integration functionality is only available if you have an activated serial key for the Enterprise Edition of Ekran System.


This advanced SIEM integration functionality provides the capability to create a separate log file on the Ekran System Application Server machine and forward the log file to a SIEM system, as well as to define the format of the log file and the data to be written to it. It is also possible to send the data over the network without log file creation.

The log file can be created or forwarded to a SIEM system in one of the following formats:

• Common Event Format (CEF)

• Log Event Extended Format (LEEF)

Both these formats can be viewed and analyzed by Splunk, ArcSight or IBM QRadar monitoring software.

NOTE: The log records that are forwarded are not encrypted unless the TLS encryption option is used (see below).


Depending on the log format settings specified, different types of monitoring data can be written to the log file or can be forwarded to the SIEM system.

CEF Header Information

LEEF Header Information

Log Data

Client Events

Device Event Class ID = 100

Name = EkranClientEvent

Cat = ClientEvents

EventID = 100

Cat = ClientEvents

Windows Client events: user name (along with the secondary user name), Client name, activity time, activity title, application name, URL, keystrokes, alert/USB rule, Session Player URL, OS, domain name, IPv4, IPv6, remote IP.

Linux Client events: user name, Client name, activity time, command, function, parameters, alert, Session Player URL, OS, IPv4, IPv6.

Alert Events

Device Event Class ID = 200

Name = EkranAlertEvent

Cat = AlertEvents

EventID = 200

Cat = AlertEvents

Windows Client alert events: alert ID, alert name, alert description, user name (along with the secondary user name), Client name, activity time, activity title, application name, URL, keystrokes, Session Player URL, OS, domain name, IPv4, IPv6, remote IP.

Linux Client alert events: alert ID, alert name, alert description, user name, Client name, activity time, command, function, parameters, Session Player URL, OS, IPv4, IPv6.

Audit Log Events

Device Event Class ID = 300

Name = EkranMTLogEvent

Cat = MTLogEvents

EventID = 300

Cat = MTLogEvents

Audit log entry ID, time, Ekran System user name, user groups, category, action, object, details.


To define the log settings, click the Configuration navigation link on the left, and then select the SIEM Integration tab on the Configuration page.

The log settings can be edited by users with the administrative Database Management permission.


The following settings can be defined in the corresponding sections:

1. Log File Settings

In this section, you can enable log file creation and define the parameters for the cleanup operation (the log file will be created on the Ekran System Application Server computer, and by default have the name EventLog and be stored in the Application Server installation folder):

• Create a log file: You can select this checkbox to enable log file creation.

• Log File Location: In this field, you can define the location where the log files will be stored.

• Cleanup daily at: This option allows you to define the time to execute the cleanup operation on a daily basis.

• Cleanup every: This option allows you to define the frequency of the cleanup operation.

• Maximum File Size (GB): This option allows you to define the maximum size of the log file.

NOTE: During each cleanup operation, the current log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder. So as not to run out of space on the Application Server computer where the log files are stored, it is recommended to regularly check the disk space used and delete log files which are no longer required.

2. Log Forwarding Settings

In this section, you can enable the forwarding of log records and define the SIEM system the log records will be sent to:

• Send log to SIEM system: You can select this checkbox to enable log file forwarding.

• Network IP Address: This option allows you to enter the IP address of the SIEM system.

• Port: This option allows you to enter the port number of the SIEM system.

• Test Connection: This button allows you to send a test log record to the defined SIEM system to check if all connection settings are correctly defined.

Use TLS: This checkbox allows you to use an encrypted TLS connection to forward the log records to the SIEM system securely, by uploading a server certificate for validation of the TLS connection.

3. Log Format Settings

In this section, you can define the format of the log file to be saved on the Ekran System Server computer and forwarded to the SIEM system.

• Log Format: This option allows you to select the log file format (CEF or LEEF).

• Date Format: This option allows you to define the date format for the log file.

4. Log File Contents

In this section, you can define the data to be written to the log file and forwarded to the SIEM system:

• Windows and Linux Client records: Select this checkbox to allow the adding of all session records of Windows and Linux Clients to the log file.

• Alert events: Select this checkbox to allow the adding of all alert events of Windows and Linux Clients to the log file.

• Audit log events: Select this checkbox to allow the adding of all Audit log records to the log file.