SIEM Integration
Using CEF Format for Audit Data
PrivX audit data can alternatively be formatted in the Common Event Format (CEF). Switching the audit logging to CEF may allow easier interoperability with some SIEM systems.
To switch the audit data format to CEF, edit the /opt/privx/etc/shared-config.toml
file, setting the audit_event_format
parameter to the following:
audit_event_format = "cef"
Restart PrivX to apply the changes:
# systemctl restart privx
Logging CEF Audit Messages to External SIEM
To send CEF log messages to an external SIEM, edit the /etc/rsyslog.conf
file, and add the following:
# Send messages using rsyslog "forwarding output module".
# On network error, try to reconnect 100 times to avoid lost messages.
# Queue the messages.
local6.* action(type="omfwd" target="example.siem.net" port="1234" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
# Drop the local6 messages from default messages.
local6.none /var/log/messages
Restart syslog to apply the changes:
# systemctl restart rsyslog
For more information on configuring rsyslog, see https://www.rsyslog.com/guides/
Logging CEF Audit Messages Internally
If you want to use the internal syslog service, add the following to the /etc/rsyslog.conf
file:
# Create a template for CEF messages.
template(name="SSH_CefFormat" type="string"
string="%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n")
# Use the template for local6 (PrivX CEF logger uses that facility)
local6.* /var/log/ceflog;SSH_CefFormat
# Drop the local6 messages from default messages.
*.info;mail,authpriv,cron,local6.none /var/log/messages
Restart syslog to apply the changes:
# systemctl restart rsyslog