Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
This cool solution explains how Sentinel can be configured to forward events from Sentinel or Access Manager Analytics Server to 3rd party Syslog Servers like Splunk and ArcSight.
By default, Splunk runs Syslog on UDP 514 and TCP 1514. These ports may be different in your Splunk environment.
By default, ArcSight ESM or Logger, the Syslog runs on UDP 514 or 8514 port. For the TCP port it runs on 515 or 8515 depending on the configuration.
It is advisable to get the details from the respective Admins and make sure the network connectivity has been established between Sentinel, Splunk, and ArcSight servers.
Let's take a use case that Sentinel needs to be configured to forward all events of SEV 4 & 5 to Splunk which is running on 172.17.5.200 on UDP port 514, and all events of SEV 0 - 5 need to be forwarded to ArcSight which is running on 172.17.5.100 on TCP Port 515.
Configure Integrators for SPLUNK and ArcSight
Open Sentinel Control Center -> Configuration -> Configuration Menu -> Integrator Manager.
Click the Green “ ” Icon at the bottom and configure it as –
Select Integrator: Syslog
Name: SPLUNK
Service Category: SIEM – Security Event Management
Click Next.
Host: 172.17.5.200 (IP Address of Splunk server)
Port: 514
Protocol: UDP
Send complete event data: Enable
Click Next,
Click Next in the Integrator Properties window,
Click on “Test Configuration”.
Click OK, then Finish.
A new Integrator named SPLUNK will be available in Integration Manager.
Use the similar steps to create an Integrator for ArcSight as well.
Host: 172.17.5.100 (IP Address of ArcSight / Logger server)
Port: 515
Protocol: TCP
Send complete event data: Enable
Close the Integrator Manager.
Now both Integrators are ready. It's time to create Action.
From Sentinel Control Center -> Configuration menu -> Action Manager.
Click Add.
Action Name: Log to SPLUNK
Action: Event Forwarder
Integrator: SPLUNK (select from dropdown)
Click Save.
Now create Action for ArcSight as well.
Action Name: Log to ArcSight
Action: Event Forwarder
Integrator: ArcSight (select from dropdown)
Click Save.
Both Actions are added.
Close Action Manager and Sentinel Control Center.
Let’s create Routing Rules.
Open Sentinel Web Console -> Routing -> Event Routing Rules -> Create.
Name: Forward Events to SPLUNK
Criteria: (sev:[4 TO 5])
Route to the following services: All
Perform the following action: “Log to SPLUNK”.
Click Save.
Now create Rule for ArcSight as well.
Name: Forward Events to ArcSight
Criteria: (sev:[0 TO 5])
Route to the following services: All
Perform the following action: “Log to ArcSight”.
Click Save.
Make sure both rules are enabled.
Now Sentinel will keep on forwarding events to SPLUNK and ArcSight.
Ref:
Managing Integrators - https://www.netiq.com/documentation/sentinel-82/admin/data/bhk6ext.html
Managing Actions - https://www.netiq.com/documentation/sentinel-82/admin/data/bhk6evz.html
Creating Event Routing Rules: https://www.netiq.com/documentation/sentinel-82/admin/data/bgt2otl.html
Best Regards,
Vikas Johari
Technical Enablement Lead,
Solutions Development, Enablement, and Education Services