SIEM integration

O.S.: CentOS 8

Dependencies

[centos@ip-10-0-0-207 ]$ sudo yum update

[centos@ip-10-0-0-207 ]$ sudo yum install python36
[centos@ip-10-0-0-207 ]$ sudo yum install gcc
[centos@ip-10-0-0-207 ]$ sudo yum install platform-python-devel. Centos 8
[centos@ip-10-0-0-207 ]$ sudo yum install python3-devel Centos 7
[centos@ip-10-0-0-207 ]$ sudo pip3 install pycrypto
[centos@ip-10-0-0-207 ]$ sudo yum install openssl-devel
[centos@ip-10-0-0-207 ]$ sudo yum install swig
[centos@ip-10-0-0-207 ]$ sudo pip3 install M2Crypto
[centos@ip-10-0-0-207 ]$ sudo pip3 install urllib3 Centos 7

Download script

[centos@ip-10-0-0-207 ]$ sudo yum install wget

[centos@ip-10-0-0-207 ]$ wget https://github.com/imperva/incapsula-logs-
downloader/archive/refs/heads/master.zip
[centos@ip-10-0-0-207 ]$ sudo yum install unzip
[centos@ip-10-0-0-207 ]$ unzip master.zip
[centos@ip-10-0-0-207 ]$ cd incapsula-logs-downloader-master/
[centos@ip-10-0-0-207 ]$ sudo vi config/Settings.Config

Script configuration

[SETTINGS]
APIID=1234
APIKEY=XXXX-XXX-4b15-b323-af3fb1245af9
SAVE_LOCALLY=YES
PROCESS_DIR= /tmp/processed/
BASEURL=https://logs1.incapsula.com/8502_1824662/
USEPROXY=NO
PROXYSERVER=
SYSLOG_ENABLE=NO
SYSLOG_ADDRESS=
SYSLOG_PORT=
SYSLOG_PROTO=TCP
USE_CUSTOM_CA_FILE=YES
CUSTOM_CA_FILE=/home/centos/incapsula-logs-downloader-master/cert/mycertfile.pem

Run the Script

[centos@ip-10-0-0-207]$ sudo python3 /home/centos/incapsula-logs-downloader-

master/script/LogsDownloader.py -c /home/centos/incapsula-logs-downloader-master/config

How to download the root CA cert (Firefox)

Click on the padlock

Click on More Information

Click on View Certificate

Click on the Root CA

Click on the PEM cert

How to create a Service

First create a shell script (startIncapsula.sh ), under /usr/bin, and contain one line below

python3 /home/centos/incapsula-logs-downloader-master/script/LogsDownloader.py -c
/home/centos/incapsula-logs-downloader-master/config
Then make a unit file called incapsula.service under /lib/systemd/system

[Unit]
Description=Incapsula WAF log download systemd service.
[Service]
Type=simple
ExecStart=/bin/bash /usr/bin/startIncapsula.sh
[Install]
WantedBy=multi-user.target

Copy this service file to /etc/system/system and make sure the mod is 644.

Start/Stop the servcie

systemctl start incapsula

systemctl stop incapsula
systemctl status incapsula

Start the service when system boots:

systemctl enable incapsula

Parameter Value

APIID Your API ID.

APIKEY Your API key.
SAVE_LOCALLY A Yes or No value that instructs Incapsula whether to maintain
the log files after they are processed. When set to No, the files
are deleted.

The default is YES.

PROCESS_DIR The directory where Incapsula automatically saves the logs after
extracting them.

The default is /tmp/processed/

BASEURL The URL of your logs repository in the Incapsula cloud. This URL
is displayed in the Incapsula Administration Console
Settings window as the Log Server URL field.
USEPROXY Specify YES to use a proxy to download the files.

The default is NO.

PROXYSERVER If you choose to use a proxy server, when you type the proxy URL,
use the <https://1.1.1.1:8080> format.
SYSLOG_ENABLE Type YES.

A Yes or No value that instructs Incapsula about whether to send

the files by using syslog.

The default is YES.

SYSLOG_ADDRESS The IP address for the SIEM

SYSLOG_PORT 514
USE_CUSTOM_CA_FILE In case the service's certificate is not in the bundle, the default is
NO.
CUSTOM_CA_FILE The file path for the custom certificate file.