SIEM Integration

Using CEF Format for Audit Data

PrivX audit data can alternatively be formatted in the Common Event Format (CEF). Switching the audit logging to CEF may allow easier interoperability with some SIEM systems.

To switch the audit data format to CEF, edit the ​/opt/privx/etc/shared-config.toml​ file, setting the ​audit_event_format​​ parameter to the following:

audit_event_format = "cef"

Restart PrivX to apply the changes:

# systemctl restart privx

Logging CEF Audit Messages to External SIEM

To send CEF log messages to an external SIEM, edit the ​/etc/rsyslog.conf​​ file, and add the following:

# Send messages using rsyslog "forwarding output module".
# On network error, try to reconnect 100 times to avoid lost messages.
# Queue the messages.
local6.* action(type="omfwd" target="example.siem.net" port="1234" protocol="tcp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000")

# Drop the local6 messages from default messages.
local6.none   /var/log/messages

Restart syslog to apply the changes:

# systemctl restart rsyslog

For more information on configuring rsyslog, see ​https://www.rsyslog.com/guides/​​

Logging CEF Audit Messages Internally

If you want to use the internal syslog service, add the following to the ​/etc/rsyslog.conf​​ file:

# Create a template for CEF messages.
template(name="SSH_CefFormat" type="string"
    string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n")

# Use the template for local6 (PrivX CEF logger uses that facility)
local6.*                                /var/log/ceflog;SSH_CefFormat

# Drop the local6 messages from default messages.
*.info;mail,authpriv,cron,local6.none   /var/log/messages

Restart syslog to apply the changes:

# systemctl restart rsyslog

Did this page help you?