topic Re: IBM Siteprotector. in Security

IBM Siteprotector.

davecroto — Wed, 20 Oct 2010 22:50:11 GMT

Anybody use splunk to index IBM(ISS) SiteProtector events. Is there a syslog configuraton for Siteprotector? It has a sql backend for all events and can send traps, but traps are only generated for alerts and not every IPS event is an alert. My customer is looking for a forensic archive of IDS/IPS events in Splunk.

Dave Croteau

Re: IBM Siteprotector.

ftk — Wed, 20 Oct 2010 22:53:30 GMT

This should be possible with a custom scripted input that will pull the event data from the database. Not sure if anybody has done it before though.

Re: IBM Siteprotector.

southeringtonp — Wed, 20 Oct 2010 23:38:22 GMT

It's been a while, but there used to be a way to enable (Event Collector?) logging to a text file in SiteProtector.

It may call them "trace" logs - I can't remember now.

Once you have the text files, indexing them with Splunk is pretty trivial.

Found some more information in my old notes. Things may have changed in more recent versions of SiteProtector, but look for trace file settings under Advanced Event Collector Configuration, and/or look for the Event Archiver.

Re: IBM Siteprotector.

davecroto — Thu, 21 Oct 2010 00:18:44 GMT

Would custom scripted Input scale for every IDS/IPS Event? Perhaps hundreds of thousands of events per hour?

Re: IBM Siteprotector.

ftk — Thu, 21 Oct 2010 00:38:48 GMT

hmm, that's a great question, and I am not sure to be honest -- basically you would have a python script that runs a query on your database. Not sure how much data that can handle.

Re: IBM Siteprotector.

drbones — Mon, 01 Aug 2011 20:10:21 GMT

The Event Collector generates a .txt file before batch-importing to the database.

We used a monitor on the directory hierarchy. Ours is located (I think this can be configured) in C:\Program Files\ISS\SiteProtector\Event Archiver\EventLogDir (note, below, we mounted that via a network share because we didn't want to install a universal forwarder on the box.

ignoreOlderThan is necessary not to overwhelm lsof on restart.

So, inputs.conf looks like this:
[monitor:////mnt/server/eventlogdir]
disabled = false
followTail = 0
sourcetype = iss-realsecure
ignoreOlderThan = 1d
whitelist = .txt

Re: IBM Siteprotector.

sirajnp — Mon, 27 Feb 2017 08:01:22 GMT

Hello drbones,

May I know how you granted permission for forwarder agent on the mounted drive. Whether your Site Protector system and forwarder installed machines is part of same domain.
In our case Site protector is not in domain hence forwarder could not read the mounted drive due to permission issues.

Re: IBM Siteprotector.

MARKFOULKES — Tue, 26 Sep 2017 11:39:45 GMT

In order to ingest IBM siteprotector data into Splunk you will first of all need to configure logging of events under the Siteprotector mgmt. platform to do this :
Open siteprotector console
Right click your event collector
Select properties
Select agent properties
Under event collector logging "enable event logging to log files" and set your log retention period
Save policy
This will then write your IDS events to the file you have selected
To then send logs to Splunk Install universal forwarder on the Event collectors and configure to obtain and send logs from the directory specified