This article will give you step by step instructions on how to link your SIEM server solution to SafeConsole.
Benefits and Features:
This feature will allow you to set up alerts for many different events that take place on your SafeConsole server. You can track events and get a notifications via email every time a device is connected, a user logs in, a password is changed, a device resets, and much more.
Terms to Note:
GUI: Graphical User Interface
SIEM: Security Information and Event Management
GELF: Graylog Extended Log Format
UDP: User Datagram Protocol
NODE: A JavaScript runtime
**Please note that it is recommended to turn off debug mode on your SafeConsole server when adding the SIEM feature. This can be done through the SafeConsole configuration tool.**
(Configuration tool example image for the recommendation note above)
1. You will first need to setup and deploy your SIEM solution server.
Graylog complete setup guide
http://docs.graylog.org/en/2.2/
2. After your Graylog SIEM server is set up and deployed, you will need to set up the new Input.
a. Log into your server through the GUI interface
b. Select "SYSTEM" in the navigation menu
c. Select "INPUTS" in the drop down menu
d. Change the input type to "GELF UDP"
e. Select "Launch New Input"
(Example Image for Step 2)
3. Fill out the "Launch New Input: GELF UDP"
a. Node(s) to spawn input on : Select the node you want to spawn this input on or select "Global input" which starts all node
b. Give your new input a title
c. Input a bind address if you chose too, if not leave the default 0.0.0.0
d. Add the port number to listen on. Default is set to 12201
e. *Optional* Set the receiving buffer size. The size in bytes of the recvBufferSize for network connections to this input. Default is set to 262144.
f. *Optional* Set the Override Source. The source is a hostname derived from the received packet by default. Set this if you want to override it with custom string. Default is set to BLANK.
(Example Image for Step 3)
4. Login as administrator to your SafeConsole server via the web interface.
a. Once you are logged in, select the "Server Settings" in the menu on the left hand side
b. Scroll down to the third box option that says "External Event Logging Settings (SIEM Integration)"
c. Check the "Enable SIEM" box
d. Input your SIEM server name or IP address and the Port number that you dedicated in step 3.d.
e. Click the [SAVE] button
(Example Image for Step 4)