Hi All
I build another MicroFocus product , Filr ,its latest version (4.3) could integrate with SIEM.
it need connect Zpppkeerer/Kalka server...
Does Sentinel Could connect filr to get event log ?
Wencheng
Cybersecurity
DevOps Cloud
IT Operations Cloud
Hi Wencheng,
there is no native Sentinel Connector for Kafka.
Two options that could work:
a) Use the Sentinel Process Connector (https://marketplace.microfocus.com/arcsight/content/process) to run some Kafka Client that retrieves the events from a topic.
b) Build a Kafka FlexConnector (https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors/kafka_flexconnector/) to subscribe to Filr's topic on Kafka and then forward the events to Sentinel using Syslog.
Norbert
The logfile is surely a far simpler way of integration. Could you post your rsyslog config as reference for others?
According to https://www.microfocus.com/documentation/filr/filr-4/filr-bp-maint/t4g09rpv9v05.html#t4g2s2rgtr05 one could also use a database connector:
The CEF events are available in the SS_CefEvents database table and in the Kafka topic named CefEvents.
Hi All
Sorry to delay response...I provide my method below:
1. I add single line on rsyslog.conf
*.* @sentinel_ip:1514
But it seem only send OS log
2. I create a conf file on /etc/rsyslog.d folder.and the content like
#########################################
$ModLoad imfile
$InputFilePollInterval 1
$InputFileName /var/opt/novell/tomcat-filr/logs/appserver.log
$InputFileTag FilrCEF:
$InputFileStateFile FilrCEF
$InputFileFacility local0
$InputRunFileMonitor
:syslogtag, isequal, "FilrCEF:" {
:msg, contains, "CEF" {
local0.* /var/log/FilrCEF_.log
local0.* @sentinel_IP:1516
}
stop
}
=================================
coulde use rsyslogd to check , for example:
rsyslogd -N1 -f ./filr-appserver.conf
3. restart rsyslogd service
rcrsyslog restart
4. check sentienl whether need modify filr event source object to CEF Collector.
5. you should see 2 filr event source : one is OS event source another is filr event source.
Wencheng