You are on page 1of 8

RSANetWitness Logs

Event Source Log Configuration Guide

Imperva SecureSphere
LastModified:Monday,May22,2017

Event Source Product Information:


Vendor:Imperva
Event Source:SecureSphere
Versions:Versions6,7,8,8.5,9,9.5,10
Additional Downloads:Impervawaf.txt

RSA Product Information:


Supported On:NetWitnessSuite10.0andlater
Event Source Log Parser:impervawaf
Collection Method:Syslog
Event Source Class.Subclass:Security.ApplicationFirewall


Configure Imperva SecureSphere
ToconfigureSyslogcollectionforImpervaSecureSphereyoumust:
l ConfigureNetWitnessSuiteforSyslogCollection

l ConfigureSyslogOutputonImpervaSecureSphere

Configure Imperva SecureSphere 2


Event Source Log Configuration Guide

Configure NetWitness Suite for Syslog


Collection
Note: YouonlyneedtoconfigureSyslogcollectionthefirsttimethatyousetupanevent
sourcethatusesSyslogtosenditsoutputtoNetWitness.

YoushouldconfigureeithertheLogDecoderortheRemoteLogCollectorforSyslog.You
donotneedtoconfigureboth.

To configure the Log Decoder for Syslog collection:


1. IntheNetWitnessmenu,selectAdministration>Services.

2. IntheServicesgrid,selectaLogDecoder,andfromtheActionsmenu,chooseView
>System.

3. Dependingontheiconyousee,dooneofthefollowing:

l Ifyousee ,clicktheicontostartcapturingSyslog.

l Ifyousee ,youdonotneedtodoanything;thisLogDecoderis
alreadycapturingSyslog.

To configure the Remote Log Collector for Syslog collection:


1. IntheNetWitnessmenu,selectAdministration>Services.

2. IntheServicesgrid,selectaRemoteLogCollector,andfromtheActionsmenu,
chooseView>Config>Event Sources.

3. SelectSyslog/Configfromthedrop-downmenu.
TheEventCategoriespaneldisplaystheSyslogeventsourcesthatareconfigured,if
any.

4. IntheEventCategoriespaneltoolbar,click+.
TheAvailableEventSourceTypesdialogisdisplayed.

5. Selecteithersyslog-tcporsyslog-udp.Youcansetupeitherorboth,dependingonthe
needsofyourorganization.

3 Configure NetWitness Suite for Syslog Collection


Event Source Log Configuration Guide

6. SelectthenewtypeintheEventCategoriespanelandc lick+intheSourcespanel
toolbar.
TheAddSourcedialogisdisplayed.

7. Enter514fortheport,andselectEnabled.Optionally,configureanyofthe
Advancedparametersasnecessary.
ClickOKtoacceptyourchangesandclosethedialogbox.
Onceyouconfigureoneorbothsyslogtypes,theLogDecoderorRemoteLogCollector
collectsthosetypesofmessagesfromallavailableeventsources.So,youcancontinue
toaddSyslogeventsourcestoyoursystemwithoutneedingtodoanyfurther
configurationinNetWitness.

Configure NetWitness Suite for Syslog Collection 4


Event Source Log Configuration Guide

Configure Syslog Output on Imperva


SecureSphere
TheseinstructionsdescribehowtoconfigureImpervaSecureSpheretocommunicatewith
theRSANetWitnessSuite.

To configure Imperva SecureSphere:


1. ConnecttotheSecureSpherewebinterface.

2. SelectthePolicies>Action Setstab.

3. TosetupAlertsmonitoring,followthesesteps:

a. SelectCreate New .

Note: Inversion10.0,selectCreate New .

b. IntheNamefield,typeSecurity Platform Alerts.

c. FromtheApply to event type drop-downlist,selectAny Event Type.

d. ClickCreate.

e. Selecttheactionset,Security Platform Alerts.

f. MovetheServer System Log > Log to System Log (syslog)actionfromAvailable


Action Interfaces toSelected Actionsbyclickingthegreenarrownexttothe
action.

g. ExpandSelected Actions,andcompletethefieldsasfollows.

Field Action

Name Type:Security Platform Alerts.

Syslog EntertheIPaddressofyourRSANetWitnessSuiteLogDecoderor
Host RemoteLogCollector.

Syslog Type:Info.
Host
Level

5 Configure Syslog Output on Imperva SecureSphere


Event Source Log Configuration Guide

Field Action

Message Copyandpastetextfromtheimpervawaf.txtfile.Usethelinebelow
Security Alerts.ThisfileisavailableonSCOLasanAdditional
Download.

Facility Type:Syslog.

h. SelectRun on Every Event.

i. ClickSave.

4. TosetupEvents,followthesesteps:

a. SelectCreate New .

Note: Inversion10.0,selectCreate New

b. IntheNamefield,type:Security Platform Events.

c. FromtheApply to event typedrop-downlist,selectSystem Events.

d. ClickCreate.

e. Selecttheactionset,Security Platform Events.

f. MovetheServer System Log > Log to System Log (syslog) actionfrom


Available Action Interfaces toSelected Actionsbyclickingthegreenarrow
nexttotheaction.

g. ExpandSelected Actions,andcompletethefieldsasfollows.

Field Value

Name Type:Security Platform Events.

SyslogHost EntertheIPaddressofyourRSANetWitnessSuiteLog
DecoderorRemoteLogCollector.

SyslogHost Type:Info.
Level

Message Copyandpastetextfromtheimperva.txtfile.Usethelinebelow
Security Events.

Facility Type:Syslog.

Configure Syslog Output on Imperva SecureSphere 6


Event Source Log Configuration Guide

h. SelectRun on Event Event.

i. ClickSave.

5. TosetupDatabaseActivityMonitoring,followthesesteps:

a. SelectCreate New .

Note: Inversion10.0,selectCreate New

b. IntheNamefield,type:Security Database Activity Monitoring

c. FromtheApply to event typedrop-downlist,selectAudit.

d. ClickCreate.

e. Selecttheactionset,Security Database Activity Monitoring.

f. MovetheGateway Syslog > Log audit events to System Log (Gateway syslog)
actionfromtheAvailable Action Interfaces totheSelected Actionsbyclicking
thegreenarrownexttotheaction.

g. ExpandGateway Syslog > Log audit events to System Log (Gateway syslog),and
completethefieldsasfollows.

Field Value

Name Type:Security Database Activity Monitoring

PrimaryHost EntertheIPaddressofyourRSANetWitnessSuiteLogDecoder
orRemoteLogCollector.

PrimaryPort Type:514

SyslogHost Type:Info
Level

Message Copyandpastetextfromtheimperva.txtfile.Usethelinebelow
Security Database Activity Monitoring.

Facility Type:Syslog

h. ClickSave.

6. ClickthePolicies>Audittab.

7. SelecttheExternal Loggertabforaparticularpolicythatyouwanttoapplythenew
actionset.

7 Configure Syslog Output on Imperva SecureSphere


Event Source Log Configuration Guide

8. Selectthenameofyournewlycreatedactionset,Security Database Activity


Monitoring,andclickSave.

Copyright2017EMCCorporation.AllRightsReserved.

Trademarks
RSA,theRSALogoandEMCareeitherregisteredtrademarksortrademarksofEMC
CorporationintheUnitedStatesand/orothercountries.Allothertrademarksusedhereinare
thepropertyoftheirrespectiveowners.

Configure Syslog Output on Imperva SecureSphere 8