Configuring publication of application events to a SIEM system

You can configure the publication of events in CEF format to an external SIEM system, and saving the events locally in log files on the server. If you do not need to save events locally, skip steps 5, 7, 8 of the instructions in this section.

Follow the steps below on each cluster node whose events you want to publish to a SIEM system. Only enable the export of events in CEF format after configuring event publishing.

To configure the publication of application events to a SIEM system:

1. Start an operating system command shell on the cluster node to run commands with superuser (system administrator) permissions.
2. Events are sent to an external SIEM system using the rsyslog system logging service. Make sure the service is installed and running using the command:

   systemctl status rsyslog

   The status of the service must be running.

   If the rsyslog service is not running or is not installed, install and enable the rsyslog service in accordance with the instructions from the documentation for your operating system.

3. Create the /etc/rsyslog.d/ksmg-cef-messages.conf file and add the following lines to it:

   $ActionQueueFileName ForwardToSIEM

   $ActionQueueMaxDiskSpace 1g

   $ActionQueueSaveOnShutdown on

   $ActionQueueType LinkedList

   $ActionResumeRetryCount -1

4. If you want to send events to a SIEM system over UDP, add the following line:

   <category (facility) for the CEF format>.* @<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over UDP>

   If you want to send events over TCP, add the following line:

   <category (facility) for the CEF format>.* @@<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over TCP>

5. If you want to save copies of events locally, add the following line to the same file:

   <facility for the CEF format>.* -/var/log/ksmg-cef-messages

6. Add the following line to the end of the file:

   <facility for the CEF format>.* stop

   Example configuration file for exporting over UDP without saving to the local log: $ActionQueueFileName ForwardToSIEM2 $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 local2.* @10.16.32.64:514 local2.* stop Example configuration file for exporting over TCP with saving to the local log: $ActionQueueFileName ForwardToSIEM2 $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 local2.* @@10.16.32.64:514 local2.* -/var/log/ksmg-cef-messages local2.* stop

7. If you configured copies of events to be saved locally, create the /var/log/ksmg-cef-messages log file and configure its access permissions. To do so, execute the commands:

   touch /var/log/ksmg-cef-messages

   chown root:klusers /var/log/ksmg-cef-messages

   chmod 640 /var/log/ksmg-cef-messages

8. If you configured copies of events to be saved locally, configure the rules for rotation of log files with exported events. To do so, create the /etc/logrotate.d/ksmg-cef-messages file and add the following lines to it:

   /var/log/ksmg-cef-messages

   {

     size 500M

     rotate 10

     compress

     missingok

     notifempty

     sharedscripts

     postrotate

     /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true

     endscript

   }

9. Restart the rsyslog service. To do so, run the following command:

   systemctl restart rsyslog

10. Check the status of the rsyslog service:

    systemctl status rsyslog

    The status must be running.

11. Send a test message to the SIEM system using the following command:

    logger -p <category (facility) for the CEF format>.info Test message

Publication of application events to the SIEM system is configured.