In addition to the built-in reports available in OneView, you can send threat-related events to your SIEM solution for security insights, compliance, and visibility.
NOTICE - Syslog settings previously configured within a Nebula site have been migrated to the Syslog Logging page in OneView, where they'll now be managed. The Syslog Logging page is no longer displayed when launching a Nebula site.
Requirements
- Global Administrator, Site Administrator, or Customer Adminsitrator access for OneView.
- A Windows endpoint promoted as the Syslog communication endpoint.
- Network access between your Syslog communication endpoints and SIEM or Syslog server. TCP over port 514 is used by default.
Events flow
The flow of events for syslog follows this order:
- Endpoints report threat detection events to OneView.
- The Syslog Communication Endpoint pulls events from OneView. This data is temporarily stored on the endpoint.
- The Syslog Communication Endpoint forwards events to the Syslog server in CEF format. The data is then removed from the communication device.
Configuration
Configure the syslog settings and promote a Windows endpoint to be the communication endpoint.
- Go to Configure > Syslog Logging.
- In the top-right corner, click Create Syslog Configuration
.
- Select a site.
- If the site previously had Syslog configured for it, close out of this wizard and change syslog settings for the site instead.
- Select a Windows endpoint to promote as the Syslog communication endpoint and click Next.
- To search for an endpoint, click the filter icon
next to the Endpoint column.
- To search for an endpoint, click the filter icon
- Fill in the following information, then click Save.
- IP Address/Host: IP or hostname of your Syslog server.
- Port: Port you have specified on your Syslog server.
- Protocol: Select either TCP or UDP protocol.
- Severity: Choose a Severity from the list. This determines the Severity of all OneView events sent to Syslog.
-
Communication Interval (Minutes): Determines how often the communication endpoint gathers Syslog data from the OneView server. If the endpoint is unable to contact OneView, it buffers data from the last 24 hours. Data older than 24 hours is not sent to Syslog.
The selected Syslog communication endpoint communicates with our servers to download a SIEM Plugin. Once the plugin is installed, the endpoint information is listed in the table on the Syslog Logging page in OneView.
Change Syslog settings
If you need to change your Syslog communication endpoint, perform the following:
- Go to Configure > Syslog Logging.
- Click the ellipsis icon
to the right of the site name.
- If the button is missing, scroll to the right or click Add / Remove Columns and ensure the Action column is checked.
- Click Edit.
- Select a new communication endpoint and click Next.
Example Syslog entry
The following is an example of a Syslog entry generated by OneView in raw CEF format. The tables below detail the Syslog prefix values, CEF headers, and extensions used in the example.
2018-04-13T21:06:05Z MININT-16Tjdoe CEF:0|Malwarebytes|Malwarebytes Endpoint Protection|Endpoint Protection 1.2.0.719|Detection|Website blocked|1|deviceExternalId=e150291a2b2513b9fd67941ab1135afa41111111 dvchost=MININT-16Tjdoe deviceDnsDomain=jdoeTest.local dvcmac=00:0C:29:33:C6:6A dvc=192.168.2.100 rt=Apr 13 2018 21:05:56 Z fileType=OutboundConnection cat=Website act=blocked msg=Website blocked\\nProcess name: C:\\Users\\vmadmin\\Desktop\\test.exe filePath=drivinfosproduits.info(81.171.14.67:49846) cs1Label=Detection name cs1=Malicious Websites
Syslog Prefix | Description | Examples |
Timestamp | Time of recorded event. | 2018-04-13T21:06:05Z |
Host | Affected endpoint. | MININT-16Tjdoe |
CEF Header | Description | Examples |
Version | Version of the CEF format. | CEF:0 |
Device Vendor | The vendor will always be Malwarebytes. | Malwarebytes |
Device Product | Plugin installed on endpoint at time of event. | Endpoint Protection Incident Response Endpoint Detection and Response |
Device Version | Plugin name and version. | Endpoint Protection 1.2.0.719 |
Device Event Class ID | Type of event reported. | Detection |
Name | Category of event and action taken. | Website Blocked |
Severity | Severity set in Syslog settings. | 1 |
Extension | Description | Examples |
deviceExternalId | Unique identifier of device generating event. | e150291a2b2513b9fd67941ab1135afa41111111 |
dvchost | Device hostname. | MININT-16Tjdoe |
deviceDnsDomain | Device’s DNS domain name. | jdoeTest.local |
dvcmac | Device’s MAC address. | 00:0C:29:33:C6:6A |
dvc | Device’s IPv4 address. | 192.168.2.100 |
rt | Date/Time when the event occurred. | Apr 13 2018 21:05:56 Z |
fileType | Type of file that caused event. | OutboundConnection File Module Process Registry Value Exploit |
cat | Category of the event. |
Malware |
act | Action Taken. | blocked found quarantined deleted restored |
msg | Details of the system event. | Website blocked\nProcess name: C:\Users\vmadmin\Desktop\test.exe |
filePath | Path to the file, or blocked website domain. | drivinfosproduits.info(81.171.14.67:49846) C:\users\vmadmin\Desktop\test.exe |
cs1Label | The label name for the cs1 field. | Detection name |
cs1 | The detection name. | Malicious Websites |
cs2Label | The label name for the cs2 field. | Detection severity |
cs2 | Severity of detection. | High, medium, low |
cs3Label | The label name for the cs3 field. | Detection ID |
cs3 | ID For the detection. |
6b5b8a56-e2ae-11ed-8d93-000c292a498c |
cs4Label | The label name for the cs4 field. |
Parent Detection ID |
cs4 | ID for the parent detection. |
8d2b5a72-e4ie-12ag-8o73-000d394a598c |