Introduction

Some customers use HP ArcSight product to monitor security of internal IT assets and trigger proper alarms whenever required. They require that

We chose to implement one generic interface supporting Security Information Event management (SIEM), so it would be easier to extend current ArcSight support to other products and solutions.

Security events are stored in

Events are formatted according to CEF specification.

It's also possible to log security events locally, in case they cannot be sent to point of delivery.

Glossary

Here some terms used within ArcSight;

• Application: SW component intended to perform core business functionality
• Application Security Configuration Parameter: any configuration item with direct impact on application's security
• Application Security Configuration Target Value: the value of Application Security Configuration Parameter
• Application Security Event: any distinct, time-limited, identifiable activity with direct impact on Application's security
• Application Security Event Message:  the technical log generated by an Application in reaction to Application Security Event
• Monitoring: near real-time validation of Application Security Event Messages, against defined level of escalation (Alert, Record, Log)
• Application Security Scenario: identify patterns with respect to defined conditions and trigger action
• Application Security Scenario Exception: any exception to define scenario
• Escalation level:
  • Alert: requires immediate escalation and quick evaluation
  • Record: to be included in a report for frequent review
  • Log: to be logged with less frequent review

Security events are stored in

Events must be formatted according to CEF specification

Log security events locally, in case the cannot be set to point of delivery

List of events

Here follows the list of generated and logged events:

Pluggable SIEM manager

Given that different customers can have different SIEM systems and/or requirements, we provide a modular and configurable architecture in

The default implementation generated event in CEF format (suitable for HP ArcSight) and, if properly configured, can send them to local rsyslog daemon.

SIEM configuration is not a common or daily task, so configuration is available only via manual file editing via SSH, no web console UI.

Sender configuration

In order to use syslog to receive and forward security events, some changes are required on

• Enable syslog to listen on UDP

  Code Block
  # Provides UDP syslog reception $ModLoad imudp.so $UDPServerRun 514

• Configure template format

  Code Block
  $template EVSSFormat,"<%pri%>%timestamp% %hostname% %syslogtag%%msg%\n"

• Define a local file for debug purpose

  Code Block
  local7.INFO /var/log/arcsight.log;EVSSFormat

• Redirect to remote host

  Code Block
  local7.INFO @@remote-host:514;EVSSFormat

In

import log4j.appender.CustodianDailyRollingFileAppender
// standard configuration to send security events to local rsyslog daemon
log4j = {
    appenders {
        appender    new log4j.appender.AdvSyslogAppender(
                name:      "arcsyslog",
                layout:    pattern(conversionPattern: '%m'),
                facility:  "local7",
                tag:       "<ac:macro ac:name="brand"><ac:parameter ac:name="brand">server</ac:parameter></ac:macro>",
                threshold: org.apache.log4j.Level.INFO,
                syslogHost:"localhost",
                header:    true,
                timeZone:  "GMT"
                )
        appender new CustodianDailyRollingFileAppender(name:'logFile',
                file:"/var/log/tomcat6/<ac:macro ac:name="brand"><ac:parameter ac:name="brand">server</ac:parameter></ac:macro>.log",
                datePattern:"'.'yyyy-MM-dd",
                layout: pattern(conversionPattern:'%d [%t] %-5p %c{2} %x - %m%n'),
                compressBackups : 'true',
                maxNumberOfDays : '7')
    }
    root {
        error 'logFile'
    }
    info arcsyslog: "privateserver.siem.CEFSender", additivity : false
}

privateserver.siem.formatter = privateserver.siem.DBArcSightCef

Here is a list of all available syslog property

Formatter configuration

Security event formatter takes many information as inputs and emit a string containing properly formatted event, ready to be forwarded to SIEM. Formatted string is stored into SecurityEvent.details field.

For specific customers' needs, PrivateWave can develop some custom formatter/filters.

Custom formatter can be configured editing file /data/privateserver/Config.groovy to specify actual formatter class:

  privateserver.siem.formatter = privateserver.siem.DBArcSightCef

Implementation notes

Some events, such as service START/STOP are generated directly from shell scripts and stored in MySQL "system_events" table.

One scheduled job collects info and data from system_events table and generate and format the actual security event to be sent.