Configuring publication of application events to a SIEM system
16 April 2024
ID 218660
You can configure the publication of events in CEF format to an external SIEM system, and saving the events locally in log files on the server. If you do not need to save events locally, skip steps 5, 7, 8 of the instructions in this section.
Follow the steps below on each cluster node whose events you want to publish to a SIEM system. Only enable the export of events in CEF format after configuring event publishing.
To configure the publication of application events to a SIEM system:
- Start an operating system command shell on the cluster node to run commands with superuser (system administrator) permissions.
- Events are sent to an external SIEM system using the rsyslog system logging service. Make sure the service is installed and running using the command:
systemctl status rsyslog
The status of the service must be running.
If the rsyslog service is not running or is not installed, install and enable the rsyslog service in accordance with the instructions from the documentation for your operating system.
- Create the /etc/rsyslog.d/ksmg-cef-messages.conf file and add the following lines to it:
$ActionQueueFileName ForwardToSIEM
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
- If you want to send events to a SIEM system over UDP, add the following line:
<category (facility) for the CEF format>.* @<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over UDP>
If you want to send events over TCP, add the following line:
<category (facility) for the CEF format>.* @@<IP address of the SIEM system>:<port used by the SIEM system to receive messages from Syslog over TCP>
- If you want to save copies of events locally, add the following line to the same file:
<facility for the CEF format>.* -/var/log/ksmg-cef-messages
- Add the following line to the end of the file:
<facility for the CEF format>.* stop
Example configuration file for exporting over UDP without saving to the local log:
$ActionQueueFileName ForwardToSIEM2
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
local2.* @10.16.32.64:514
local2.* stop
Example configuration file for exporting over TCP with saving to the local log:
$ActionQueueFileName ForwardToSIEM2
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
local2.* @@10.16.32.64:514
local2.* -/var/log/ksmg-cef-messages
local2.* stop
- If you configured copies of events to be saved locally, create the /var/log/ksmg-cef-messages log file and configure its access permissions. To do so, execute the commands:
touch /var/log/ksmg-cef-messages
chown root:klusers /var/log/ksmg-cef-messages
chmod 640 /var/log/ksmg-cef-messages
- If you configured copies of events to be saved locally, configure the rules for rotation of log files with exported events. To do so, create the /etc/logrotate.d/ksmg-cef-messages file and add the following lines to it:
/var/log/ksmg-cef-messages
{
size 500M
rotate 10
compress
missingok
notifempty
sharedscripts
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
}
- Restart the rsyslog service. To do so, run the following command:
systemctl restart rsyslog
- Check the status of the rsyslog service:
systemctl status rsyslog
The status must be running.
- Send a test message to the SIEM system using the following command:
logger -p <category (facility) for the CEF format>.info Test message
Publication of application events to the SIEM system is configured.