SIEM Integration allows your SafeConsole Server to communicate with your central log management software. This allows for easier notification of potential issues before they become a problem. SafeConsole 5.2.0+ supports Graylog, Splunk, and Common Socket (Syslog).
SIEM server should allow network communication from your SafeConsole Server. Make sure there that any firewalls are configured using the ports selected during setup.
Please note: Admins of on-prem servers can change the log level in the SafeConsole Configurator if they want to receive device logs in their SIEM server.
Common Socket (Syslog):
Due diligence should be taken before enabling sending logs through this protocol as by default Syslog does not encrypt this communication. Potential sensitive information that can be sent includes IP Addresses, File Names, and more.
For this reason, Syslog is only recommended for use on On-Premises Installation of SafeConsole where the SIEM server and SafeConsole are both on a secure network.
Before configuring Syslog on your SafeConsole server, you should verify that your SIEM server allows Syslog input, and the information needed to Enter into SafeConsole. By default, Syslog uses UDP port 514.
These are the steps that need to be executed on the SafeConsole Server as an Admin:
- Go to Server Settings
- Enabling SIEM
- selecting Common Socket
- Selecting UDP or TCP
- Entering the domain or IP address of your SIEM Server
- Enter the port that your server is listening on.
An example of the SPLUNK Log Output is attached at the end of this KB article.