When setting up a log forwarding connection from vRealize Log Insight to a SIEM solution like Splunk or Qradar, you need to filter on a particular set of event types to limit the stream of logs sent to the receiving solution. With this post I make a humble attempt to offer some guidance on which events are typically filtered for security auditing like logins, reboots etc.
Disclaimer: The actual set of events you may need to monitor in your SIEM solution may vary based on the needs of your security team.
Let me jump right into the nitty gritty details of what you need to do forward the relevant events based on my experiences with vRealize Log Insight customers.
Step 1: Ensure the user you use to log into vRealize Log Insight has full administrator privileges.
Step 2: Create a “New destination” by clicking Event Forwarding option in the Management section of the Administration UI in vRealize Log Insight.
Step 3: Give your destination a meaningful name like “Security events to Qradar@10.12.13.14” , enter the FQDN or IP of the destination receiver.
Step 4: Select the protocol to be syslog, give it a tag name (optional) Note: I have seen issues with some customers where adding a tag name makes the receiving end to not receive the event logs correctly, so only use the tag after testing it at the receiving end. Also note that event tags may cause the original event log to be altered with the addition of the tag.
Step 5: Use the Add Filter link and select ‘text’ with ‘matches’ option and a list of keywords to search on the security specific events.
Now the key here is to select the correct list that will cover all security specific logs and must be entered manually. This is a list (not vSphere specific) that I have complied based on my experience with customers attempting to forward security specific events to their SIEM solutions:
- “password was changed”
- “logged out”
- “cannot login”
- “logged in”
- “rejected password for user”
- “permission rule removed”
- “DCUI has been enabled”
- “firewall configuration has changed”
- “permission created”
Step 6: Use the Run in Interactive Analytics link to ensure the correct set of events are being queried by vRealize Log Insight to ensure you send the correct set of events you need at the receiving solution.
Step 7: Use the Test button to send a test event.
Step 8: Validate at the receiving end in Qradar or Splunk or another solution that you have a) received the event as expected and b) the event is in the expected format.
Step 9: Save the forwarder destination using the Save button in vRealize Log Insight.
You are all set and your SIEM solution should receive the events as received by vRealize Log Insight. If you come across more events that need to be sent you can simply login to vRealize Log Insight and edit your destination and add more keywords to the same text filter and send the newly identified events. You could alternatively also clone the forwarder destination and send to another solution by modifying the name and host IP in the cloned forwarder destination.
Happy Forwarding! And hope you find this information useful.