cancel
Showing results for 
Search instead for 
Did you mean: 

Forward ESM Events to 3rd party

Jump to solution

Hi all,

Anybody can help me on this topic ?

Our ESM will be connected to a 3rd party SIEM (Splunk). We need to send some alarms notification.

Is it possible to send the events information from the 'Execute Remote Command' option in Alarm section to Splunk or other one.

Thanks

AyGitci

1 Solution

Accepted Solutions
ksudki
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Forward ESM Events to 3rd party

Jump to solution

You have several possibilities to achieve that :

  1. Forward the events to splunk ESM Properties > Event Forwarding > Configure SPLUNKJas the syslog destination with the needed filters
  2. Create an alarm to trigger an email which will be sent to SPLUNK
  3. Create an alarm to execute remote command on the SPLUNK box something like logger to local file and get that file parsed in SPLUNK

I think there is even more possibilities as SPLUNK supports many different events sources.

Regards

4 Replies
ksudki
Level 10
Report Inappropriate Content
Message 2 of 5

Re: Forward ESM Events to 3rd party

Jump to solution

You have several possibilities to achieve that :

  1. Forward the events to splunk ESM Properties > Event Forwarding > Configure SPLUNKJas the syslog destination with the needed filters
  2. Create an alarm to trigger an email which will be sent to SPLUNK
  3. Create an alarm to execute remote command on the SPLUNK box something like logger to local file and get that file parsed in SPLUNK

I think there is even more possibilities as SPLUNK supports many different events sources.

Regards

Re: Forward ESM Events to 3rd party

Jump to solution

Hi,

Thanks for your feedback. Regarding the 1st possibulity, can we filter to forward triggered events (alarm) or just events are forwarded ?

Regards.

AyGitci

ksudki
Level 10
Report Inappropriate Content
Message 4 of 5

Re: Forward ESM Events to 3rd party

Jump to solution

Hi, Don't think it is possible, because alarms seem to be stored in a different special log. With the alarms you can choose multiple actions if the alarm triggers, so you should consider using option 2 or 3 in addition of your actual configured settings. Regards

rcavey
Level 9
Report Inappropriate Content
Message 5 of 5

Re: Forward ESM Events to 3rd party

Jump to solution

Hi,

  So we've been looking at this recently forwarding events to an upstream ArcSight collector. What I'm shooting for in out setup( but this will take some serious tuning ) is forwarding based on a severity(I think?) threshold. Again, you really need to be tuning the event severities as honing in on these things takes time which I imagine most people don't keep up.   You could also look at the possibly of utilizing a watchlist to do what you need??   Sorry,  I'm not in front of the GUI so I'll try and check what I've played with so far in the next few days and possibly elaborate better.

Cheers,

  -Bob