4 Replies Latest reply on Dec 3, 2014 9:41 PM by rcavey

    Forward ESM Events to 3rd party

    aygitci

      Hi all,

       

      Anybody can help me on this topic ?

       

      Our ESM will be connected to a 3rd party SIEM (Splunk). We need to send some alarms notification.

       

      Is it possible to send the events information from the 'Execute Remote Command' option in Alarm section to Splunk or other one.

       

       

      Thanks

       

      AyGitci

        • 1. Re: Forward ESM Events to 3rd party
          ksudki

          You have several possibilities to achieve that :

           

          1. Forward the events to splunk ESM Properties > Event Forwarding > Configure SPLUNKJas the syslog destination with the needed filters
          2. Create an alarm to trigger an email which will be sent to SPLUNK
          3. Create an alarm to execute remote command on the SPLUNK box something like logger to local file and get that file parsed in SPLUNK

           

          I think there is even more possibilities as SPLUNK supports many different events sources.

           

          Regards

          • 2. Re: Forward ESM Events to 3rd party
            aygitci

            Hi,

             

            Thanks for your feedback. Regarding the 1st possibulity, can we filter to forward triggered events (alarm) or just events are forwarded ?

             

            Regards.

             

            AyGitci

            • 3. Re: Forward ESM Events to 3rd party
              ksudki

              Hi, Don't think it is possible, because alarms seem to be stored in a different special log. With the alarms you can choose multiple actions if the alarm triggers, so you should consider using option 2 or 3 in addition of your actual configured settings. Regards

              • 4. Re: Forward ESM Events to 3rd party
                rcavey

                Hi,

                 

                  So we've been looking at this recently forwarding events to an upstream ArcSight collector. What I'm shooting for in out setup( but this will take some serious tuning ) is forwarding based on a severity(I think?) threshold. Again, you really need to be tuning the event severities as honing in on these things takes time which I imagine most people don't keep up.   You could also look at the possibly of utilizing a watchlist to do what you need??   Sorry,  I'm not in front of the GUI so I'll try and check what I've played with so far in the next few days and possibly elaborate better.

                 

                Cheers,

                  -Bob