Ekran system supports integration with various systems using SysLog (over TCP/IP), CEF or LEEF log files, and covers virtually all different systems, including Elasticsearch and Kerberos deployments. All events are sent from the Application Server.
In this way, Ekran System can be used as a data source provider to track different events, although currently only alerts are tracked of all events occurring in the Management Tool (such as someone created a new user), and all events from monitored endpoints.
By integration with a SIEM system, many potential security breaches can be caught (e.g. if a user logged in to four different servers at the same time, it could be a potentially compromised account).
NOTE: Advanced SIEM integration functionality is only available if you have an activated serial key for the Enterprise Edition of Ekran System.
Advanced SIEM integration provides the capability to create a separate log file on the Ekran System Application Server machine or forward the log file to a SIEM system.
The log file can be created or forwarded to a SIEM system in one of the following formats:
• Common Event Format (CEF)
• Log Event Extended Format (LEEF)
Both these formats can be viewed and analyzed by Splunk, ArcSight or IBM QRadar monitoring software.
If the Create a log file checkbox is selected (on the Configuration page, on the SIEM Integration tab, in the Log File Settings section at the top) to enable this option, the log file will be created on the Ekran System Application Server computer. By default, the log file name is EventLog and it is stored in the Application Server installation folder.
If the Send log to SIEM system checkbox is selected (on the Configuration page, on the SIEM Integration tab, in the Log Forwarding Settings section) to enable this option, the log records will be forwarded to the SIEM system specified.
NOTE: The log records that are forwarded are not encrypted.