Defining SIEM Integration
Ekran System supports integration with various SIEM systems using SysLog (over TCP/IP), and CEF or LEEF log files, and covers virtually all different systems, including Elasticsearch and Kerberos deployments. All events are sent from the Application Server.
In this way, Ekran System can be used as a data source provider to track different events, such as alerts triggered, monitored session data, and events occurring in the Management Tool (such as for someone created a new user).
By integration with a SIEM system, many potential security breaches can be caught (e.g. if a user logged in to four different servers at the same time, it could be a potentially compromised account).
NOTE: This feature is only available with an activated serial key for the Enterprise Edition of Ekran System.
This advanced SIEM Integration functionality provides the capability to create a separate log file on the Ekran System Application Server machine and forward the log file to a SIEM system, as well as to define the format of the log file and the data to be written to it. It is also possible to send the data over the network without log file creation.
The log file can be created or forwarded to a SIEM system in one of the following formats:
• Common Event Format (CEF)
• Log Event Extended Format (LEEF)
Both these formats can be viewed and analyzed by Splunk, ArcSight or IBM QRadar monitoring software.
NOTE: The log records that are forwarded are not encrypted unless the TLS encryption option is used (see below).
Depending on the log format settings specified, different types of monitoring data can be written to the log file or can be forwarded to the SIEM system.
CEF Header Information | LEEF Header Information | Log Data |
Client Events | ||
Device Event Class ID = 100 Name = EkranClientEvent Cat = ClientEvents | EventID = 100 Cat = ClientEvents | Windows Client events: user name (along with the secondary user name), Client name, activity time, activity title, application name, URL, keystrokes, alert/USB rule, Session Player URL, OS, domain name, IPv4, IPv6, remote IP. Linux Client events: user name, Client name, activity time, command, function, parameters, alert, Session Player URL, OS, IPv4, IPv6. |
Alert Events | ||
Device Event Class ID = 200 Name = EkranAlertEvent Cat = AlertEvents | EventID = 200 Cat = AlertEvents | Windows Client alert events: alert ID, alert name, alert description, user name (along with the secondary user name), Client name, activity time, activity title, application name, URL, keystrokes, Session Player URL, OS, domain name, IPv4, IPv6, remote IP. Linux Client alert events: alert ID, alert name, alert description, user name, Client name, activity time, command, function, parameters, Session Player URL, OS, IPv4, IPv6. |
Audit Log Events | ||
Device Event Class ID = 300 Name = EkranMTLogEvent Cat = MTLogEvents | EventID = 300 Cat = MTLogEvents | Audit log entry ID, time, Ekran System user name, user groups, category, action, object, details. |
To define the log settings, click the Configuration (.png?inst-v=10e00af3-f04e-48af-a05b-759d3f29ea0d)
The log settings can be edited by users with the administrative Database Management permission.
The following settings can be defined in the corresponding sections:
1. NOT AVAILABLE IN SAAS Log File Settings
In this section, you can enable log file creation and define the parameters for the cleanup operation (the log file will be created on the Ekran System Application Server computer, and by default have the name EventLog and be stored in the Application Server installation folder):
• Create a log file: You can select this checkbox to enable log file creation.
NOTE: When using High Availability mode, the "Create a log file" option is disabled, in which case you can instead send the logs directly to the SIEM system.
• Log file location: In this field, you can define the location where the log files will be stored.
• Cleanup daily at: This option allows you to define the time to execute the cleanup operation on a daily basis.
• Cleanup every: This option allows you to define the frequency of the cleanup operation.
• Maximum file size (GB): This option allows you to define the maximum size of the log file.
NOTE: During any Cleanup operation, the current log file is renamed (the date and time of the cleanup operation is added to its name) and a new one is created in the same folder. So as not to run out of space on the Application Server computer where the log files are stored, it is recommended to regularly check the disk space used and delete log files which are no longer required.
NOTE: The options in the Log File Settings section are not available in High Availability mode.
2. Log Forwarding Settings
In this section, you can enable the forwarding of log records and define the SIEM system the log records will be sent to:
• Send log to SIEM system: You can select this checkbox to enable log file forwarding.
• Network IP address: This option allows you to enter the IP address of the SIEM system.
• Port: This option allows you to enter the port number of the SIEM system.
• Test Connection: This button allows you to send a test log record to the defined SIEM system to check if all connection settings are correctly defined.
• Use TLS: This checkbox allows you to use an encrypted TLS connection to forward the log records to the SIEM system securely, by uploading a server certificate for validation of the TLS connection. Please refer to the article on how to create a self-signed SSL certificate.
3. Log Format Settings
In this section, you can define the format of the log file to be saved on the Ekran System Server computer and forwarded to the SIEM system.
• Log format: This option allows you to select the log file format (CEF or LEEF).
• Date format: This option allows you to define the date format for the log file.
4. Log File Contents
In this section, you can define the data to be written to the log file and forwarded to the SIEM system:
• Windows and Linux Client records: Select this checkbox to allow the adding of all session records of Windows and Linux Clients to the log file.
• Alert events: Select this checkbox to allow the adding of all alert events of Windows and Linux Clients to the log file.
• Audit log events: Select this checkbox to allow the adding of all Audit log records to the log file.