Introduction
Some customers use HP ArcSight product to monitor security of internal IT assets and trigger proper alarms whenever required. They require that is properly integrated and could report in real-time any relevant security event to their infrastructure.
We chose to implement one generic interface supporting Security Information Event management (SIEM), so it would be easier to extend current ArcSight support to other products and solutions.
Security events are stored in 's operational database and sent to local syslog daemon, which in turn can forward them to HP ArcSight.
Events are formatted according to CEF specification.
It's also possible to log security events locally, in case they cannot be sent to point of delivery.
Glossary
Here some terms used within ArcSight;
- Application: SW component intended to perform core business functionality
- Application Security Configuration Parameter: any configuration item with direct impact on application's security
- Application Security Configuration Target Value: the value of Application Security Configuration Parameter
- Application Security Event: any distinct, time-limited, identifiable activity with direct impact on Application's security
- Application Security Event Message: the technical log generated by an Application in reaction to Application Security Event
- Monitoring: near real-time validation of Application Security Event Messages, against defined level of escalation (Alert, Record, Log)
- Application Security Scenario: identify patterns with respect to defined conditions and trigger action
- Application Security Scenario Exception: any exception to define scenario
- Escalation level:
- Alert: requires immediate escalation and quick evaluation
- Record: to be included in a report for frequent review
- Log: to be logged with less frequent review
List of events
Here follows the list of generated and logged events:
| Event Code | Event Name | Event Description or R.L. Example |
|---|---|---|
| CC01 | Application configuration change | |
| CC02 | Security configuration change | |
| HB01 | Heartbeat | |
| LL01 | Successful User Login | |
| LL02 | Successful User Logoff | |
| LL03 | User Login failure | |
| LL04 | Password change success | |
| LL05 | Password change failure | |
| PA01 | Successful privileged operation access | |
| PA02 | Failed privileged operation access | |
| SA01 | Add User | |
| SA02 | Amend User | |
| SA03 | Delete User | |
| SA04 | New Profile | |
| SA05 | Amend Profile | |
| SA06 | Delete Profile | |
| SA07 | Password reset | |
| SA08 | Lock user | |
| SA09 | Unlock User | |
| SS01 | Application Start | |
| SS02 | Application Stop | |
| SS03 | Application Data Dump | |
| SS04 | Application Data Restore | |
| SS05 | Logging Change |
Pluggable SIEM manager
Given that different customers can have different SIEM systems and/or requirements, we provide a modular and configurable architecture in , to be able to customize these behaviors.
The default implementation generated event in CEF format (suitable for HP ArcSight) and, if properly configured, can send them to local rsyslog daemon.
SIEM configuration is not a common or daily task, so configuration is available only via manual file editing via SSH, no web console UI.
Sender configuration
In order to use syslog to receive and forward security events, some changes are required on 's syslog configuration /etc/rsyslog.conf. Message format and priority is fixed and defined.
Enable syslog to listen on UDP
# Provides UDP syslog reception $ModLoad imudp.so $UDPServerRun 514
Configure template format
$template EVSSFormat,"<%pri%>%timestamp% %hostname% %syslogtag%%msg%\n"
Define a local file for debug purpose
local7.INFO /var/log/arcsight.log;EVSSFormat
Redirect to remote host
local7.INFO @@remote-host:514;EVSSFormat
If you configure both forwarding and logging to local files, it is suggested to put forwarding statement AFTER local file statement: if for some reasons, forwarding does not work, you will still have immediate logging on local file. The opposite order could introduce some delay. |
In it is also required to configure logging framework to send security events to syslog. Edit file /data/privateserver/Config.groovy and insert following snipped
import log4j.appender.CustodianDailyRollingFileAppender
// standard configuration to send security events to local rsyslog daemon
log4j = {
appenders {
appender new log4j.appender.AdvSyslogAppender(
name: "arcsyslog",
layout: pattern(conversionPattern: '%m'),
facility: "local7",
tag: "<ac:macro ac:name="brand"><ac:parameter ac:name="brand">server</ac:parameter></ac:macro>",
threshold: org.apache.log4j.Level.INFO,
syslogHost:"localhost",
header: true,
timeZone: "GMT"
)
appender new CustodianDailyRollingFileAppender(name:'logFile',
file:"/var/log/tomcat6/<ac:macro ac:name="brand"><ac:parameter ac:name="brand">server</ac:parameter></ac:macro>.log",
datePattern:"'.'yyyy-MM-dd",
layout: pattern(conversionPattern:'%d [%t] %-5p %c{2} %x - %m%n'),
compressBackups : 'true',
maxNumberOfDays : '7')
}
root {
error 'logFile'
}
info arcsyslog: "privateserver.siem.CEFSender", additivity : false
}
privateserver.siem.formatter = privateserver.siem.DBArcSightCef |
Here is a list of all available syslog property
Formatter configuration
Security event formatter takes many information as inputs and emit a string containing properly formatted event, ready to be forwarded to SIEM. Formatted string is stored into SecurityEvent.details field.
For specific customers' needs, PrivateWave can develop some custom formatter/filters.
Custom formatter can be configured editing file /data/privateserver/Config.groovy to specify actual formatter class:
privateserver.siem.formatter = privateserver.siem.DBArcSightCef |
Implementation notes
Some events, such as service START/STOP are generated directly from shell scripts and stored in MySQL "system_events" table.
One scheduled job collects info and data from system_events table and generate and format the actual security event to be sent.