SIEM Foundations: Configuring a SYSLOG Data Source
Most deployments will require at least one Data Source that send events to the SIEM via SYSLOG. Most event sources such as firewalls, intrusion detection/prevention systems and Linux hosts will support forwarding logs and events to a collection platform – in this case the McAfee Event Receiver will be the destination of all forwarded events.
NOTE: As an example, the following steps would be necessary to add event collection for a Linux host via SYSLOG.
Configure the Linux Data Source to forward all necessary events and logs to the IP address assigned to the Event Receiver. Refer to the vendor-supplied instructions for each Data Source to determine the appropriate steps necessary to perform this event forwarding.
From the System Tree, select the Event Receiver on which you will be configuring the SYSLOG Data Source.
Click the Add Data Source button from the Action Toolbar located in the upper left of the interface. The Add Data Source window will open.
From the Data Source Vendor drop down menu, select UNIX.
From the Data Source Model drop down menu, select Linux (ASP).
Enter a Name to be used for this Data Source.
Enter the IP Address from which this Data Source will be sending SYSLOG data
Set the appropriate Time Zone that reflects the time zone of the time stamps the data source will send to your Event Receiver. This is not the time zone of the console user, and is not necessarily the same as the time zone in which the device resides. Your Event Receiver will use this to normalize the time of the events it receives before storing them in the ESM database; it's VERY important that this match the time zone of the received events. Most events that come into the Receiver do not have an embedded timezone, and the Receiver relies on the configured time zone to properly normalize event timestamps. If the timezone configuration is incorrect, your events may appear to have timestamps that are in the past or future relative to when they actually happened. In extreme cases, the ESM may raise an alarm and discard events that are too far out of time sync.
NOTE: Most Data Sources do NOT require any modification to the Data Format, Data Retrieval method, SYSLOG Relay, Mask or any additional fields presented in the Add Data Source dialog.
A dialog box will open warning that for a Policy Rollout will be required for this Data Source to properly function. Click Yes.
A dialog box will open indicating that the new Data Source configuration must be written to the Receiver. Click Yes.
A dialog box will open offering to roll out policy to the newly created Data Source. Click OK. Depending on the number of data source policies you are rolling at at once, this may take a few minutes to complete.
Once complete, a dialog box will open indicating the successful rollout of the new policy. Click Close.
To confirm event collection from the newly created Linux Data Source, select the Linux Host from the Device Tree.