SIEM Integration allows your SafeConsole Server to communicate with your central log management software. This allows for easier notification of potential issues before they become a problem. SafeConsole 5.2.0+ supports GrayLog, Splunk and Common Socket (Syslog).
SIEM server should allow network communication from you SafeConsole Server. Make sure there that any firewalls are configured using the ports selected during setup.
Common Socket (Syslog): Due diligence should be taken before enabling sending logs through this protocol as by default syslog does not encrypt this communication. Potential sensitive information that can be sent include IP Addresses, File Names, and more. For this reason, Syslog is only recommended for use on On-Premises Installation of SafeConsole where the SIEM server and SafeConsole are both on a secure network. Before configuring Syslog on your SafeConsole server, you should verify that your SIEM server allows Syslog input, and the information needed to Enter into SafeConsole. By Default syslog uses UDP port 514.
These are the steps that need to be executed on the SafeConsole Server as an Admin:
- Go to Server Settings
- Enabling SIEM
- selecting Common Socket
- Selecting UDP or TCP
- Entering the domain or IP address of your SIEM Server
- Entering the port that your server is listening on.
An example of the SPLUNK Log Output is attached at the end of this KB article.