/
Create a Remote Log Source - SecureSphere

Create a Remote Log Source - SecureSphere

Owned by Aaron Gabriel (Deactivated)
Last updated: 13 December 2023 by Aaron Gabriel (Deactivated)
3 min read

 

Topics Discussed

 

You can use this document to add a remote log collector to a SecureSphere remote device (log source).

 

Pre-Deployment Considerations

Before you begin, review the following requirements:

Log Relay

For remote log collection, you must have a Log Relay server on your account.

Assumptions

  • The SecureSphere device is running at version v9.5 to v13 for Syslog in LEEF format

  • Your device is already configured and running the policies that are needed

  • You already have a log relay box set up and configured correctly

  • The security policies for any AWS security groups or firewalls allow traffic on port 10154 to reach the log relay



Update your Imperva SecureSphere Device

  1. Log into your Imperva SecureSphere management console.

  2. Navigate to Policies -> Action Sets

  3. Click the Create New button to define a new action set

    1. In the Action Name field, type a name for your alert action (ex: Log Firewall Alerts to Armor)

    2. Select the appropriate event type from the Apply to Event Type dropdown menu - Options include Security Violations - All, Security Violations - Web Application Level, Security Violations - File Application Level, and System Events.

    3. Click Create.

  4. Configure the forwarding action

    1. Click into your newly created action set

    2. Under Available Action Interfaces, use the upward-pointing green arrow next to Server System Log > Log to System Log (syslog) to add the action interface to the Selected Interfaces section

    3. Expand the Action Interface just added to Selected Actions. In the Syslog Host field, enter the IP address of your Log Relay server and specify port 10154 using standard IP:PORT format (ex. 1.1.1.1:10154)

    4. In the Syslog log level list, select INFO

    5. In the Message field, paste the following, depending on the event type you are forwarding, and placing the appropriate date and time format your SecureSphere is configured for in devTimeFormat where listed :

    6. In the Facility field, type syslog

    7. Select the Run on Every Event check box

    8. Click Save

  5. Associate your policies to the new alert action:

    1. From the navigation menu, click Policies -> Security

    2. Select the policy that you want to use for the alert action

    3. Click the Policy tab.

    4. From the Followed Action list, select your new action (ex: Send Firewall Logs to Armor) and configure the parameters.

    5. Ensure that your policy is configured as enabled and is applied to the appropriate server groups.

    6. Click save.

 

 

Verify Connection in AMP

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management, and then select Search.

  3. In the Source column, review the source name to locate the newly created SecureSphere remote log source.

    1. In the search field, you can also enter "securesphere" to locate SecureSphere messages.