Security

IBM Siteprotector.

davecroto
Splunk Employee
Splunk Employee

Anybody use splunk to index IBM(ISS) SiteProtector events. Is there a syslog configuraton for Siteprotector? It has a sql backend for all events and can send traps, but traps are only generated for alerts and not every IPS event is an alert. My customer is looking for a forensic archive of IDS/IPS events in Splunk.

Dave Croteau

Tags (1)

MARKFOULKES
New Member

In order to ingest IBM siteprotector data into Splunk you will first of all need to configure logging of events under the Siteprotector mgmt. platform to do this :
Open siteprotector console
Right click your event collector
Select properties
Select agent properties
Under event collector logging "enable event logging to log files" and set your log retention period
Save policy
This will then write your IDS events to the file you have selected
To then send logs to Splunk Install universal forwarder on the Event collectors and configure to obtain and send logs from the directory specified

0 Karma

southeringtonp
Motivator

It's been a while, but there used to be a way to enable (Event Collector?) logging to a text file in SiteProtector.

It may call them "trace" logs - I can't remember now.

Once you have the text files, indexing them with Splunk is pretty trivial.


Found some more information in my old notes. Things may have changed in more recent versions of SiteProtector, but look for trace file settings under Advanced Event Collector Configuration, and/or look for the Event Archiver.

drbones
Explorer

The Event Collector generates a .txt file before batch-importing to the database.

We used a monitor on the directory hierarchy. Ours is located (I think this can be configured) in C:\Program Files\ISS\SiteProtector\Event Archiver\EventLogDir (note, below, we mounted that via a network share because we didn't want to install a universal forwarder on the box.

ignoreOlderThan is necessary not to overwhelm lsof on restart.

So, inputs.conf looks like this:
[monitor:////mnt/server/eventlogdir]
disabled = false
followTail = 0
sourcetype = iss-realsecure
ignoreOlderThan = 1d
whitelist = .txt

0 Karma

sirajnp
Path Finder

Hello drbones,

May I know how you granted permission for forwarder agent on the mounted drive. Whether your Site Protector system and forwarder installed machines is part of same domain.
In our case Site protector is not in domain hence forwarder could not read the mounted drive due to permission issues.

0 Karma

ftk
Motivator

This should be possible with a custom scripted input that will pull the event data from the database. Not sure if anybody has done it before though.

0 Karma

ftk
Motivator

hmm, that's a great question, and I am not sure to be honest -- basically you would have a python script that runs a query on your database. Not sure how much data that can handle.

0 Karma

davecroto
Splunk Employee
Splunk Employee

Would custom scripted Input scale for every IDS/IPS Event? Perhaps hundreds of thousands of events per hour?

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...