Anybody use splunk to index IBM(ISS) SiteProtector events. Is there a syslog configuraton for Siteprotector? It has a sql backend for all events and can send traps, but traps are only generated for alerts and not every IPS event is an alert. My customer is looking for a forensic archive of IDS/IPS events in Splunk.
Dave Croteau
In order to ingest IBM siteprotector data into Splunk you will first of all need to configure logging of events under the Siteprotector mgmt. platform to do this :
Open siteprotector console
Right click your event collector
Select properties
Select agent properties
Under event collector logging "enable event logging to log files" and set your log retention period
Save policy
This will then write your IDS events to the file you have selected
To then send logs to Splunk Install universal forwarder on the Event collectors and configure to obtain and send logs from the directory specified
It's been a while, but there used to be a way to enable (Event Collector?) logging to a text file in SiteProtector.
It may call them "trace" logs - I can't remember now.
Once you have the text files, indexing them with Splunk is pretty trivial.
Found some more information in my old notes. Things may have changed in more recent versions of SiteProtector, but look for trace file settings under Advanced Event Collector Configuration, and/or look for the Event Archiver.
The Event Collector generates a .txt file before batch-importing to the database.
We used a monitor on the directory hierarchy. Ours is located (I think this can be configured) in C:\Program Files\ISS\SiteProtector\Event Archiver\EventLogDir (note, below, we mounted that via a network share because we didn't want to install a universal forwarder on the box.
ignoreOlderThan is necessary not to overwhelm lsof on restart.
So, inputs.conf looks like this:
[monitor:////mnt/server/eventlogdir]
disabled = false
followTail = 0
sourcetype = iss-realsecure
ignoreOlderThan = 1d
whitelist = .txt
Hello drbones,
May I know how you granted permission for forwarder agent on the mounted drive. Whether your Site Protector system and forwarder installed machines is part of same domain.
In our case Site protector is not in domain hence forwarder could not read the mounted drive due to permission issues.
This should be possible with a custom scripted input that will pull the event data from the database. Not sure if anybody has done it before though.
hmm, that's a great question, and I am not sure to be honest -- basically you would have a python script that runs a query on your database. Not sure how much data that can handle.
Would custom scripted Input scale for every IDS/IPS Event? Perhaps hundreds of thousands of events per hour?